OpenX Tips

Editor’s note: this is a post by guest blogger Erik Geurts

A new version of the OpenX Ad Server software has been released. This version 2.8.7 fixes a very serious security issue. According to the announcement on the OpenX blog:

there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.

The issue stems from the Video Ads plugin for OpenX, which in turn uses an open source third party component called Open Flash Charts (OFC) to display graphs about video ad performance. There was a security issue with OFC which has now been fixed.

In addition, the upgrade notification inside the OpenX management pages has this information:

If you recently upgraded to version 2.8.6, you can simply install an upgraded video ad plug-in available [here] or remove the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php from your installation.

This is the second update in less than 1 week, which might sound alarming. On the other hand, there will always be bugs and security vulnerabilities in software, and it’s better to have those fixed.

Besides this fix for the security issue that was uncovered, there is also a seemingly small functional change in this new version:

For users in the UK, all market interfaces now reflect your participation in Orange Ad Market, and all Orange Ad Market market monetary values are in GBP.

Since both the OpenX main website and the OpenX blog appear to be down at the time I’m writing this, I can’t give you any more information than what I included above.

What does still seem to work at the moment is the download link at http://download.openx.org/openx-2.8.7.zip.

The team at AdserverPlugins.com is releasing an update of the free Statistics as Graphs plugin for the OpenX Ad Server. This version 1.0.3 is available for download right now.

This is a security fix release that takes care of one issue:

• A vulnerability has been discovered in the third-party open source graphing component Open Flash Charts that is used by this plugin to draw the graphs.

As always with security fix releases, it is crucial to upgrade to the newest version as soon as possible.

If you are running OpenX 2.8.0 or greater, and you upgrade, you will now be asked for the path to the old OpenX ad server installation directory. This is so that OpenX can copy over the files from the plugins that you had installed in your previous installation¹.

This means there are two things you must now remember to do when upgrading your OpenX ad server:

1. You must remember to keep a copy of your old OpenX ad server installation code on your server, so that you can specify its location when upgrading; and
2. You must know how to specify the location of your old OpenX ad server installation, when performing the upgrade.

The correct format for the path to your old OpenX ad server installation is to use the full directory path. For example, if you were upgrading to OpenX 2.8.3 from OpenX 2.8.2, and you have your previous OpenX 2.8.2 code directory in “/var/www/html/openx-2.8.2/”, then this would be the full directory path that you specify during the upgrade.

Specifying the full path to the previous OpenX installation.

1. For example, you may have the excellent OpenX Statistics as Graphs plugin installed [↩]

OpenX have announced a security vulnerability in version 2.8.2 of the OpenX ad server.

If you are running OpenX 2.8.2, you should immediately update to OpenX 2.8.3, or follow the instructions from OpenX, to remove the vulnerable files from your OpenX ad server installation.

OpenX 2.8.2 was released a while ago now, and the release notes stated that:

We have completed a number of critical security updates to the ad server in OpenX 2.8.2 to reduce any potential vulnerabilities in the software.

However, it seems that the situation is more serious that this – in the past week, an actual remote code execution vulnerability has been announced as being in OpenX 2.8.1 and earlier.

Admittedly, based on the vulnerability report, it would appear that this remote code execution can only be executed if you (or someone with access to your OpenX installation) upload an image banner with a .php file name extension that contains embedded PHP code. If you are careful about what you upload as banners into your OpenX installation, it seems unlikely that you would be vulnerable.

Still, if you have not yet upgraded to the latest version of OpenX, you would be wise to consider doing so!