Article by Steve Ragan:
OpenX, the open source ad serving platform, patched two flaws last week, after they were discovered by Geneva, Switzerland’s High-Tech Bridge. The platform has had several issues before, and is a favorite target of criminals operating using malvertising as an attack vector.
According to the High-Tech Bridge advisory, OpenX patched two flaws in the final days of June. The first was a file inclusion vulnerability, which if the attacker has administrative privileges, can be used to access stored files such as the webservers /etc/passwd file.
"Successful exploitation of these vulnerabilities requires administrative privileges, however they can also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick logged-in OpenX administrator to open a specially crafted web page with CSRF exploit code," the advisory explains.
Read Full Article at: SecurityWeek.com
Related posts:
HTB23155: OpenX PHP file inclusion & cross-site scripting
Serious vulnerabilities in OpenX ad platform expose millions to risk
No comments:
Post a Comment