Tags: 
It has been brought to our attention that there is a remote vulnerability in the 2.8.2 version of OpenX. We recommend that all users download 2.8.3, and update their systems or take action to resolve the issue.
We take security very seriously at OpenX and have worked very hard to make bug fixes and security patches available as soon as they are discovered. Thanks to a vibrant community of users we were able to discover and roll out a fix very quickly. As with any web administered software we strongly suggest that you use the best practices of limiting access to the part of your system to only those who need it. Likewise private pages, such as the admin page, should be protected by robots.txt to prevent search engines from indexing them.
The updates mentioned above have also been corrected in our hosted products. As always please let us know of any potential security problems by emailing security@openx.org.
OpenX Ad Server v2.8.3 released – Security Fix!…
A security problem has been discovered in OpenX Ad Server v2.8.2, enabling anyone to log in as an Administrator. This is obviously an very serious problem, because it renders any OpenX Ad Server vulnerable.
An emergency fix has been developed and relea…
Trackback by OpenX Consultant Erik Geurts — December 24, 2009 @ 10:47 am
Hi, what about v2.6.x ?, need security update ?, not all user’s can switch to v2.8.x, i think v2.6.x is the last stable version, please release security updates to this version too
.
Greeting’s.
.
Sorry my english is bad
Comment by tuxsoul — December 24, 2009 @ 4:53 pm
sorry, i forget to say: merry christmas to the openx team
.
Comment by tuxsoul — December 24, 2009 @ 5:26 pm
[...] OpenX: http://blog.openx.org/12/security-matters-2/ [...]
Pingback by OpenX Authentication Bypass Security Issue « Bug-Blog — December 24, 2009 @ 5:40 pm
At this point we are not finished looking at 2.6, but do not think it is vulnerable. We strongly recommend either upgrading or disallow serving of install.php until we have confirmed it is no longer a problem.
Comment by Mike Todd — December 24, 2009 @ 9:44 pm
[...] Link: OpenX Blog » Security Matters [...]
Pingback by OpenX Blog » Security Matters | Coder Online — December 25, 2009 @ 7:40 am
The “big” security issue just fixed with 2.8.3 seems to be not existing with 2.6.5, but there is at least one “known” possible SQL injection issue with 2.6.5. – administrators of a 2.6.5 should restrict access rights to /www/admin until it is fixed (or upgrade to 2.8.3).
Comment by Heiko Weber — December 25, 2009 @ 5:44 pm
hello,
thanks for the fixing this issue.
Comment by openxaddons — December 27, 2009 @ 3:04 pm
Hello,
Thank you for releasing a security fix so quickly.
I wish you all at OpenX a happy year-ending and enjoyable holidays.
Regards,
Rui.
Comment by Rui — January 4, 2010 @ 6:41 am
Yes thanks for the quick fix. If only every company could sort their problems out as quickly as you guys the world would be a better place!
Happy belated new year too!
Comment by Joe — January 4, 2010 @ 11:24 pm
Hi,
My zones are getting deleted automatically. please help….
Comment by Rikesh — January 6, 2010 @ 11:32 am
you take the action to fix the issue very quickly…
thanks a lot
Comment by joyas — January 6, 2010 @ 7:03 pm
OpenX folders still missing index.html files to block directories browsing. oops
Comment by Den — January 6, 2010 @ 7:18 pm
Is there are reason why 2.8.3 is not showing when I check for updates from the admin area?
I am running 2.8.2.
Comment by Goran Jurić — January 15, 2010 @ 12:06 am
Thanks for the update , it’s good to know that you are constantly are on the ball . Your software is a major reason for my success in the cpa marketing world long may it continue. thanks nicho
Comment by Cpa Marketing — January 19, 2010 @ 12:56 pm
Site was defaced through this hack. Hacker found us through a Bing search.
There is a turkish hacker that is actively exploiting this to install a remote php shell and deface sites.
Comment by JM — February 1, 2010 @ 9:31 pm
[...] The guy changed my codes on banners, etc, which is why I noticed (check your logs in openX) OpenX Blog » Security Matters It’s a serious exploit that can allow anyone to login as an admin. If someone from affstorm is [...]
Pingback by OpenX hacked... update if you have not! - Affiliate Guard Dog — March 2, 2010 @ 9:47 pm
1. Make sure to check for prepend and append codes in both the _banners and_zones tables.
2. Also make sure to delete the contents of the /var/cache as the code can still be residing there.
3. Delete or mv the www/admin/install.php and install-plugins.php file in versions 2.8.2 and prior.
It would be nice if OpenX provided some information in one place on containing this problem should a site be hacked like what tables, files etc. to check. I’ve had to scour way too many links to find what I needed.
Comment by Scampy Dog — March 21, 2010 @ 5:37 pm
The security matters need to be taken very seriously today, why must people always ruin it for everyone?
Comment by Caretaker 99 Pop Up Heads — April 5, 2010 @ 7:23 am
How can I check in the log files, when this attack took place?
Comment by isis — May 25, 2010 @ 12:56 pm
I would also like to know how we check the log files
Comment by solar power brisbane — June 15, 2010 @ 1:46 am
sweetie bracelet
Comment by channel jewelry — August 6, 2010 @ 9:39 am
i asked a question here last week, regarding the hacking and placement of unsolicited ads on my site, but cannot see it. is it that someone is deleting mails that carry comments regarding the hacking and vulnerability of openx? The world needs to know. People need to be made aware and its a duty of the concerned parties to ensure software they bring to the table measure up to the standards.
Comment by nikk — August 9, 2010 @ 10:39 am
How can I check these files? Anyone???
Comment by world ending 2012 — September 27, 2010 @ 7:36 am
[...] http://blog.openx.org/12/security-matters-2/ [...]
Pingback by Bogdan Turcanu » Blog Archive » Neplăceri cu OpenX — October 7, 2010 @ 3:01 pm
works great now, thanks
Comment by hip hop mode — January 12, 2011 @ 9:59 am