OpenX 2.6.4 multiple vulnerabilities

[Sandro Gauci <publists () enablesecurity com>]

__________________________________________________________________

   OpenX multiple vulnerabilities
__________________________________________________________________


An advisory by EnableSecurity in collaboration with Acunetix.

Advisory URL:
http://resources.enablesecurity.com/advisories/openx-2.6.4-multiple.txt

Version: OpenX 2.6.4 and older versions

Description:

OpenX is an online advertising web application written in PHP that
supports popular sites such as TechCrunch, SUN Microsystems and
Metacafe.

> From their website (openx.org):
"OpenX is a free, open source ad server that manages the selling and
delivery of your online advertising inventory. You can get OpenX as a
hosted service or as downloaded software."

Credits:

These vulnerabilities were discovered during testing of AcuSensor
Technology feature in Acunetix WVS.
We worked with the OpenX security team to have these security flaws
reported and fixed.
We would like to publicly thank the OpenX team for their prompt response!

__________________________________________________________________

Technical details:

The following vulnerabilities were identified:

Major issues:
  - SQL injection
  - Cross Site Scripting

Other issues:
  - Arbitrary File Deletion
  - CRLF injection



----------- Major issues -----------

::::: SQL vulnerabilities :::::

[[ Trigger: /adview.php ]]

Description:
The cookie "OAID" is not filtered when adview.php is accessed and used
directly to construct the SQL INSERT statement.

[[ Trigger: /www/delivery/tjs.php ]]

Description:
1. The cookie "OAID" is not filtered when adview.php is accessed and
used directly to construct the SQL INSERT statement.
2. The "referer" parameter in the GET request is also used in the SQL
statement and is another vector.



::::: XSS Vulnerabilities :::::

[[ Trigger: /www/admin/sso-accounts.php ]]

Description:
The "email" parameter in the POST data is simply printed out in the
html page, allowing injection of HTML i.e. XSS attacks.

----------- Possible issues -----------


::::: Arbitary file deletion :::::

[[ Trigger: /www/delivery/tjs.php ]]

Reason:
May not be easily exploitable but it does allow directories to be
traversed when deleting cache files.

Exploitation:
It does not seem to be exploitable on Linux, but might be exploitable
on Windows. On Linux the following path would not open:
/etc/../asdf/../passwd because "asdf" does not exist. However the
following works on Windows: C:\asdf\..\boot.ini, even if "asdf" does
not exist.


::::: CRLF Injection :::::

Reason:
It seems that the current version of PHP does not allow headers with
multiple lines, i.e ones that contain the carraige and return line
feed characters. Therefore OpenX does not appear to be exploitable.
However, the code does allow CRLF injection and this may be exposed in
some other way *(eg. old versions of PHP ?).

[[ Trigger: /adframe.php ]]

[[ Trigger: /adjs.php ]]

[[ Trigger: /www/delivery/tjs.php ]]


__________________________________________________________________

Demonstration:
http://www.youtube.com/watch?v=kiNeiMS2Iu0

Exploit code:
Available to organizations by contacting info () enablesecurity com

Timeline:

Feb 03, 2009: An email was sent to the security team at OpenX and PGP
keys exchanged
Feb 03, 2009: Sent report to OpenX team with full details
Feb 04, 2009: A patch was provided to us and we verified that the
patch fixes the reported issues
Apr 01, 2009: Co-ordinated information release

Solution:

Upgrade to the latest version of OpenX:
http://www.openx.org/ad-server/download

__________________________________________________________________

About EnableSecurity:

EnableSecurity is dedicated to providing high quality Information
Security Consultancy, Research and Development. EnableSecurity
develops security tools such as VOIPPACK (for Immunity CANVAS) and
SIPVicious. EnableSecurity is focused on analysis of security
challenges and providing solutions to such threats. EnableSecurity
works on developing custom targeted security solutions, as well as
working with existing off the shelf security tools to provide the best
results for their customers. More info at enablesecurity.com

About Acunetix:
Acunetix Web Vulnerability Scanner is a tool designed to discover
security holes in web applications that attackers could abuse to gain
access to a business' systems and data. With Acunetix WVS websites can
be regularly checked for vulnerabilities such as SQL injection and
Cross Site Scripting. The scanner ships with many innovative features
such as: AcuSensor Technology, automatic JavaScript analyzer, Visual
macro recorders and extensive reporting facilities, which include
various compliance reports.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use of,
or reliance on, this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/