FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenX -- SQL injection vulnerability

Affected packages
openx < 3.0.2

Details

VuXML ID 3e33a0bb-6b2f-11e3-b042-20cf30e32f6d
Discovery 2013-12-20
Entry 2013-12-22

Revive reports:

An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander. The vulnerability is known to be already exploited to gain unauthorised access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.

[source]

References

CVE Name CVE-2013-7149
URL http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-source-2-8-11-and-revive-adserver-3-0-1/
URL http://www.revive-adserver.com/security/revive-sa-2013-001/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.