There is a a code injection vulnerability in the handling of delivery limitations which allows arbitrary code execution for a subset of registered users. This vulnerability is already being actively exploited (I discovered it upon investigating an intrusion into an ad server). This change fixes it.
Not surprisingly, OpenX 2.8.11 is affected by this vulnerability as well. The fix can be easily adapted for OpenX (see http://www.kreativrauschen.com/blog/2013/09/11/zero-day-vulnerability-in-openx-2-8-11/ for the OpenX code).
I do not want to publish an explicit proof-of-concept exploit (even though it is already being exploited we do not need to make it too easy for the bad guys ^_^), but maintainers of the master repository can contact me privately if they need more information about how to exploit the vulnerability.
Escape function arguments in compiled delivery limitations to prevent…
… involuntary code injection.
Can you please email reproduction steps to me? revive at revive-adserver dot com. Thank you, and will look at this for the 3.0.0 release.
Confirmed. Note that this exploit can only be used by someone who has access to the Revive Adserver UI with an account - it does not allow access to Revive Adserver or the underlying system for external users without an account.
Fix verified and will merge. Will also add an additional fix that prevents previously created exploits already in place from being executed.
Thank you @florian-sander for the report & the fix.
You're welcome. Thanks for the quick reaction, it has been a pleasure.
Additional security fix related to PR #91 that will prevent execution…
… of any injected code.
Added delivery log warning about possible delivery limitations issue,…
… see #91
Reverted delivery engine changes re: delivery limitation injection at…
…tack, due to performance and accuracy concerns - possible breaches will be addressed separately. #91
My organization has exposed that our openx server has been compromised using similar vectors to what has been described here: we have detected 2 php web shells that have been somehow uploaded to the server, in addition to modification of oxCacheFile.delivery.php in a way that tampers with contents of cache causing users to be presented with malicious content instead of legitimate ads.
We use version 2.8.7 of OPENX. We have no idea how the attacker was able to create these shells and modify the cache file content, but we are investigating this right now.
Considering your familiarity with OPENX vulnerabilities, Is there any information you can provide that may help us with forensics and making sure that the risk has been eliminated?
In the long term we plan to upgrade to a newer version but as part of our incident response we need some solutions for the long run.
Any help/reference you can provide will be greatly appreciate it.
Of course if you will be able to help I will be more than happy to provide any information required regarding my organization's openx usage and what we've found so far as part of our forensics efforts.
The fact that you have found this code on your server doesn't necessarily mean that there is a vulnerability in the current version. Unfortunately, many hacks that have been investigated, turn out to originate from a vulnerability in a much older version.
Please study http://www.revive-adserver.com/security/ .
I would like to strongly recommend upgrading to Revive Adserver v3.1, the version of the software you are using has multiple known security vulnerabilities.
In addition, I would like to recommend changing all passwords for all users on the server involved, especially the one used by the system administrator. I also recommend that you protect your www/admin and www/api folder using a .htaccess file.