Executing arbitrary PHP code on OpenX <= 2.8.1

2009-11-25T00:00:00
ID SECURITYVULNS:DOC:22826
Type securityvulns
Reporter Securityvulns
Modified 2009-11-25T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi,

OpenX adserver version 2.8.1 and lower is vulnerable to remote code execution. To be exploited, this vulnerability requires banner / file upload permissions, such as granted to the 'advertiser' and 'administrator' roles.

This vulnerability is caused by the (insecure) file upload mechanism of affected OpenX versions. These would check magic bytes of an uploaded file to determine its MIME type, and erroneously assume this information to be reliable. Additionally, while the file name of uploaded files is changed, the file extension is not.

As such, it is possible to upload image files with embedded PHP code and .php file extension. Unless PHP script execution is explicitly prevented for the file upload location (which has not been documented in the OpenX manual so far and it is not the result of a default installation), the PHP code will execute as soon as HTTP access to the file location will cause it to be executed by the web server.

To clarify, an attacker exploiting this security issue does require prior access to OpenX, i.e. exploitation is only possible after successful authentication. On the other hand, advertiser access is a rather low permission level and should not allow for system access.

If these bugs were not hidden from OpenX' bug tracker, you could read up more about issue X-5747 here: https://developer.openx.org/jira/browse/OX/fixforversion/10910

OpenX 2.8.2 has already been released in October to fix this issue and can be downloaded from http://www.openx.org/ad-server/download

Moritz Naumann Naumann IT Security Consulting Berlin, Germany

http://www.moritz-naumann.com/

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREKAAYFAksLvToACgkQn6GkvSd/BgxufgCfb27dD4mvPfnOa6YEthKNRzrm C7YAnieGtdnqtzBO28zThXHHy/WnCeHG =3R3Y -----END PGP SIGNATURE-----