OpenX Source v2.8.9 released for download

Version 2.8.9 of OpenX Source has been released and is available for download immediately. This new release addresses a serious security vulnerability that has been discovered in version 2.8.8 and all earlier versions of the 2.8 branch. The new release was announced on the OpenX company blog, which also has extra information and a download link.

The issue being fixed in this release is known as a “cross site request forgery”. The successful hacks that we have investigated all followed the same pattern:

  • A legitimate administrator logged in on their own OpenX Source system, which usually results in displaying the “home” tab (also known as “dashboard”).
  • On the home tab, on the right hand side, there is an advertisement from, promoting products and services offered by OpenX such as the OpenX Market, OpenX Enterprise, consulting or support.
  • This advertisement is actually being delivered via the hosted version of OpenX Source, called OpenX OnRamp, and in some cases the ad being delivered came with some malicious code. It is not yet known how the hackers managed to get access to OpenX OnRamp enabling them to inject that malicious code in the dashboard ad.
  • When this malicious code runs, it will add another administrator user into the users table, and we believe it also reports back to some system operated by the hackers that a successful hack has been executed. Most of the times, the owner of the OpenX Source installation is completely unaware of the hack that has occurred.
  • Several days or sometimes even weeks later, the hackers then access the hacked OpenX Source installation directly, in almost all cases to upload altered or new plugins, enabling them to fully control this installation. They also make alterations to existing .htaccess files, giving them full access to directories that should normally be inaccessible for outsiders, and they disable the OpenX Source audit trail, thus making their actions impossible to follow and analyze afterwards.
    They then start to add malware to banners, which will in turn affect and infect the computers used by site visitors with malware, trojans, key loggers or other malicious software.

The best course of action is of course to upgrade to version 2.8.9 of OpenX Source immediately. Should this not be possible for whatever reason, the following precautions should be taken:

  • Stop logging in as an administrator user if you are just managing campaigns or looking at statistics.
  • Disable the display of the “dashboard” tab.
  • Lock down the admin directory of your OpenX installation by adding a .htaccess file that will only allow your own IP address to access the files in that directory.


Share this on:
  • Twitter
  • LinkedIn
  • Facebook
  • email
About Erik Geurts