Main Archive Page > Month Archives  > full-disclosure-uk archives

[Full-disclosure] [OPENX-SA-2009-001] OpenX 2.4.10 and 2.6.4 fix multiple vulnerabilities

From: Matteo Beccati <php_at_nospam>
Date: Fri Jan 30 2009 - 09:27:20 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

---

OpenX security advisory OPENX-SA-2009-001 ------------------------------------------------------------------------ Advisory ID: OPENX-SA-2009-001 Date: 2009-Jan-30 Security risk: Moderately critical Applications affetced: OpenX Versions affected: <= 2.4.9, <= 2.6.3 Versions not affected: >= 2.4.10, >= 2.6.4

---

---

Multiple vulnerabilities: XSS, SQL inection, directory traversal

---

Description

---

A security review of OpenX 2.6.3 was recently being conducted on Openx 2.6.3 by Sarid Harper on behalf of Secunia and reported to us. One of the vulnerabilities was also independently discovered by Charlie Briggs and disclosed on milw0rm.com, forcing Secunia to publish the research results before our fix releases were ready.

The review contains a list of 22 items for multiple vulnerabilities ranging from XSS to SQL injection to directory traversal. Some are only exploitable by authenticated users, others can be conducted by unauthenticated users.

All the the items were fixed in OpenX 2.6 and backported to 2.4 when applicable. New versions of both OpenX 2.6 and 2.4 have been released.

Solution

---

• Upgrade to OpenX 2.4.10 or 2.6.4

References

---

• http://secunia.com/advisories/32197/
• http://www.milw0rm.com/exploits/7883
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0291

Timeline

---

2009-Jan-20: Secunia reported the security review results to OpenX 2009-Jan-20: OpenX started investigation and scheduled the fixes

             according to the company release plans 2009-Jan-26: the fc.php MAX_type vulnerability was independently

             discovered and disclosed 2009-Jan-27: an OpenX user reported the link to our forums 2009-Jan-27: Secunia was forced to disclose the entire review 2009-Jan-29: OpenX 2.4.10 and 2.6.4 were released by OpenX

Contact informations

---

The security contact for OpenX can be reached at: <security AT openx DOT org>

Best regards -- Matteo Beccati OpenX - http://www.openx.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

• This message: [ Message body ]
• Next message: hackthegov: "Re: [Full-disclosure] Security Psychology"
• Previous message: Jeremy Brown: "Re: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]