OpenX Tips

Editor’s note: this is a post by guest blogger Erik Geurts

In recent weeks, many stories have been published about security issues regarding the OpenX Ad Server software. Please find below some additional information on the current situation regarding the security of the OpenX software.

The most recent and most severe issues all resulted from a security problem in a third party open source component named “Open Flash Charts 2″. This component is used in the Video Ads plugin that comes with OpenX v2.8.4 and higher. The problem has been corrected with the release of OpenX v2.8.7. Instead of performing a full upgrade, a much simpler task is to just upgrade the Video Ads plugin. If you run OpenX version 2.8.3, which doesn’t have the Video ads plugin, you will not be affected by this particular issue.

There is also a smaller but still significant issue in the OpenX core software. It affects all version of the OpenX v2.8 software, up to v2.8.5 and it is relatively easy to fix. The way to do that is outlined in an OpenX forum post. Applying this patch is not complicated, but it does require some skill in editing php software files.

You can find out which version of OpenX you have by looking at the source code of any page of your OpenX system, including the login page. The version number is displayed in line 4 of that source code.

To summarize the above:

• if you run OpenX v2.8.2 or older, an upgrade to version 2.8.3 would be recommended, including a patch for the security issue that was discovered in August.
• if you run OpenX v2.8.3, applying the security patch that was published in August should be sufficient.
• if you run OpenX v2.8.4 or higher, it would be smart to upgrade the Video Ads plugin, and apply the patch for the security issue, or to upgrade to OpenX v2.8.7.

Editor’s note: this is a post by guest blogger Erik Geurts

A new version of the OpenX Ad Server software has been released. This version 2.8.7 fixes a very serious security issue. According to the announcement on the OpenX blog:

there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.

The issue stems from the Video Ads plugin for OpenX, which in turn uses an open source third party component called Open Flash Charts (OFC) to display graphs about video ad performance. There was a security issue with OFC which has now been fixed.

In addition, the upgrade notification inside the OpenX management pages has this information:

If you recently upgraded to version 2.8.6, you can simply install an upgraded video ad plug-in available [here] or remove the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php from your installation.

This is the second update in less than 1 week, which might sound alarming. On the other hand, there will always be bugs and security vulnerabilities in software, and it’s better to have those fixed.

Besides this fix for the security issue that was uncovered, there is also a seemingly small functional change in this new version:

For users in the UK, all market interfaces now reflect your participation in Orange Ad Market, and all Orange Ad Market market monetary values are in GBP.

Since both the OpenX main website and the OpenX blog appear to be down at the time I’m writing this, I can’t give you any more information than what I included above.

What does still seem to work at the moment is the download link at http://download.openx.org/openx-2.8.7.zip.

The team at AdserverPlugins.com is releasing an update of the free Statistics as Graphs plugin for the OpenX Ad Server. This version 1.0.3 is available for download right now.

This is a security fix release that takes care of one issue:

• A vulnerability has been discovered in the third-party open source graphing component Open Flash Charts that is used by this plugin to draw the graphs.

As always with security fix releases, it is crucial to upgrade to the newest version as soon as possible.

Editor’s note: this is a post by guest blogger Erik Geurts

Just like in March 2010, a new version of the OpenX software has been released recently, but not a single byte of publicity has been devoted to it. No mention on the OpenX blog or on Twitter, nothing. Judging from the dates on the files in the download archive, the new release was completed on September 2nd of 2010, so almost a week ago.

This new version 2.8.6 seems to be mostly about the security issue that was found and fixed a few weeks ago. Back then, on August 12, a somewhat cryptic announcement was posted on the OpenX forums, informing people how to fix the security problem. That post also hinted at a new release that would be out soon.

The release notes file in the 2.8.6 archive points to the OpenX Developer site for more details, but the issue tracker for version 2.8.6 is still open and most issues in it are still marked as unresolved. And the version check inside the OpenX software

Altogether, this is a pretty strange situation. Obviously, it’s smart to upgrade to a new version as soon as it’s released, especially if the upgrade is about fixing security issues. On the other hand, what should we think about a release that is not announced in any way, shape or form?

Download the OpenX Community edition v2.8.6.

Editor’s note: this is a guest blog by new contributor Erik Geurts

It has been a few months since The Guru has posted a tip or news item, and I decided to reach out to him and ask if I could help out. To make a long story short, I was offered the role of guest blogger here on OpenXtips.com, and this is my first post.

OpenX consultant and guest blogger Erik Geurts

Let me start by introducing myself. I have many years of experience using OpenX, I can’t remember exactly but it must have been late 2003 or early 2004 when I started using it. What I do know is that I joined the OpenX Community Forums on May 23, 2004. Like many I was searching for answers, but I found that I could also help others with their questions. I began getting requests for paid consulting work soon after, and this enabled me to start my own business as an OpenX consultant in 2008. The slightly longer version of this story can be read in a post on the OpenX company blog from May 2008.

Fast forward to the summer of 2010 and I’m still doing what I love, helping publishers, ad networks and advertisers with their OpenX Ad Server. Another part of my business is now to help people with the hosting of their OpenX systems, focusing on the European market for the moment. And last year I co-founded a project to kick start the development of plugins for OpenX Ad Server, with fellow OpenX consultant and expert Matteo Beccati.

Turning a hobby into a full time occupation and a growing business has been an amazing experience. It might look like it all went without effort, but let me assure you starting a business takes time, energy, dedication and perseverance. It’s all been worth it, in my book.

I’m planning to post some of my own tips here on OpenX Tips, I’ve got a few ideas already but feel free to leave a comment with your suggestions.

Shameless plug: I’m hosting an OpenX Master Class on October 7, in Amsterdam (Netherlands). During this unique event, a group of experienced OpenX users will gather to discuss advanced features and use cases of the OpenX Ad Server software. I will be facilitating this event to make sure it will be an intense training course and a memorable experience. More information and a signup form on my site.