It is highly recommended to install this update as soon as possible, because it contains a number of security fixes.

There is no news about this new release on the OpenX community forums or blog, as of yet. The readme file that comes with the downloaded file does not contain any specific information as to the nature of the security issues that have been fixed. However, a quick comparison of the source code of version 2.8.7 and version 2.8.8 reveals that there are multiple changes in the API, which seems to match reports about the origins of many hacking incidents that occurred these past few months.

You can download OpenX Source version 2.8.8 from the OpenX website.

Update November 8, 2011: Since many people are asking me for tips on how to upgrade their OpenX Source software, I’d like to point to an blog post I published in November, 2010: How to upgrade OpenX Source Ad Server software.

Update December 2nd, 2011: Yesterday, a post has been added to the OpenX official company blog, officially announcing this security fix release. It also specifically mentions that the security fixes relate to issues found in OpenX Source version 2.8.7, which indicates that versions 2.8.6 and earlier are not affected. However, it is always a good idea to upgrade to the most recent version available. Read the post “Security matters” on the OpenX blog for more information.

The most recent and most severe issues all resulted from a security problem in a third party open source component named “Open Flash Charts 2″. This component is used in the Video Ads plugin that comes with OpenX v2.8.4 and higher. The problem has been corrected with the release of OpenX v2.8.7. Instead of performing a full upgrade, a much simpler task is to just upgrade the Video Ads plugin. If you run OpenX version 2.8.3, which doesn’t have the Video ads plugin, you will not be affected by this particular issue.

There is also a smaller but still significant issue in the OpenX core software. It affects all version of the OpenX v2.8 software, up to v2.8.5 and it is relatively easy to fix. The way to do that is outlined in an OpenX forum post. Applying this patch is not complicated, but it does require some skill in editing php software files.

You can find out which version of OpenX you have by looking at the source code of any page of your OpenX system, including the login page. The version number is displayed in line 4 of that source code.

To summarize the above:

• if you run OpenX v2.8.2 or older, an upgrade to version 2.8.3 would be recommended, including a patch for the security issue that was discovered in August.
• if you run OpenX v2.8.3, applying the security patch that was published in August should be sufficient.
• if you run OpenX v2.8.4 or higher, it would be smart to upgrade the Video Ads plugin, and apply the patch for the security issue, or to upgrade to OpenX v2.8.7.

OpenX Ad Server v2.8.7 released for download

A new version of the OpenX Ad Server software has been released. This version 2.8.7 fixes a very serious security issue. According to the announcement on the OpenX blog:

there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.

The issue stems from the Video Ads plugin for OpenX, which in turn uses an open source third party component called Open Flash Charts (OFC) to display graphs about video ad performance. There was a security issue with OFC which has now been fixed.

In addition, the upgrade notification inside the OpenX management pages has this information:

If you recently upgraded to version 2.8.6, you can simply install an upgraded video ad plug-in available [here] or remove the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php from your installation.

This is the second update in less than 1 week, which might sound alarming. On the other hand, there will always be bugs and security vulnerabilities in software, and it’s better to have those fixed.

Besides this fix for the security issue that was uncovered, there is also a seemingly small functional change in this new version:

For users in the UK, all market interfaces now reflect your participation in Orange Ad Market, and all Orange Ad Market market monetary values are in GBP.

Since both the OpenX main website and the OpenX blog appear to be down at the time I’m writing this, I can’t give you any more information than what I included above.

What does still seem to work at the moment is the download link at http://download.openx.org/openx-2.8.7.zip.

This is a security fix release that takes care of one issue:

• A vulnerability has been discovered in the third-party open source graphing component Open Flash Charts that is used by this plugin to draw the graphs.

As always with security fix releases, it is crucial to upgrade to the newest version as soon as possible.

OpenX Ad Server v2.8.6 released for download

Just like in March 2010, a new version of the OpenX software has been released recently, but not a single byte of publicity has been devoted to it. No mention on the OpenX blog or on Twitter, nothing. Judging from the dates on the files in the download archive, the new release was completed on September 2nd of 2010, so almost a week ago.

This new version 2.8.6 seems to be mostly about the security issue that was found and fixed a few weeks ago. Back then, on August 12, a somewhat cryptic announcement was posted on the OpenX forums, informing people how to fix the security problem. That post also hinted at a new release that would be out soon.

The release notes file in the 2.8.6 archive points to the OpenX Developer site for more details, but the issue tracker for version 2.8.6 is still open and most issues in it are still marked as unresolved. And the version check inside the OpenX software doesn’t give any notifications about upgrade availability.

Altogether, this is a pretty strange situation. Obviously, it’s smart to upgrade to a new version as soon as it’s released, especially if the upgrade is about fixing security issues. On the other hand, what should we think about a release that is not announced in any way, shape or form?

Download the OpenX Community edition v2.8.6.

First symptoms: statistics disappeared

The first symptoms is that the statistics in OpenX disappear. I’ve seen reports of people mentioning this on the OpenX forums, and some people have also contacted me directly. Luckily, the statistics aren’t really gone from the database, and ad delivery continues to function without problem. This was confirmed when inspecting the database and looking at the tables that store the statistics.

Cause: hacks of old versions

While investigating one of these problematic OpenX installations, fellow OpenX consultant Matteo Beccati discovered that it had been attacked, abusing a vulnerability in OpenX v2.8.2 that has been fixed a long time ago. Unfortunately, not everyone has taken the time to upgrade yet, leaving their systems vulnerable to attacks like this one.

It was found that the attacker uses this security vulnerability to insert an additional administrator account. Next he uses this login to upgrade the OpenX plugin that takes care of the available banner types. The plugin he injects contains malicious code that creates a backdoor into the server. As a side effect, the attack creates some entries in the database, leading to the disappearance of the on-screen statistics.

From the logs that have been found, this appears to be an automated attack. The attacks that have been investigated are all originating from the same IP address.

Remedy: upgrade

For someone running OpenX v2.8.2 or older who hasn’t been infected yet, the best course of action is to upgrade to a more recent version of OpenX as soon as possible. If it takes a while to prepare and plan for this, then meanwhile I would recommend removing the install.php and install-plugins.php files in the ‘www/admin’ folder of your OpenX installation.

If a system has been attacked already, an upgrade is not going to fix this problem, since the modified plugin will be migrated to the new version, along with any changes in the database. This will have to be cleaned first.

Update

In later reports of the same kind of hack, the ‘missing statistics’ issue no longer occurred. It appears that the hacker has changed this element. However, the malicious code is still getting injected. The first time people notice problems is when their site or the ad server is reported as as containing malware by Google’s Safe Browsing program.

Not only OpenX v2.8.2 is vulnerable to this problem, the same applies to v2.8.0 and v2.8.1.

An emergency fix has been developed and released as OpenX Ad Server v2.8.3. The new version is available for immediate download at the OpenX website. The OpenX Blog provides background information and tips for security precautions.

Update April 13, 2010: it appears that an exploit for the vulnerability in OpenX v2.8.2 is making the rounds on the internet, infection these old versions with a back door and breaking the display of the on-screen statistics.