AfterDawn: Tech news

Vulnerability in OpenX advertisement server - AfterDawn's ads affected as well

Written by Jari Ketola @ 12 Sep 2010 6:40 User comments (14)

Vulnerability in OpenX advertisement server - AfterDawn's ads affected as well There is an un-patched vulnerability in OpenX advertisement server that affected the advertisement delivery at AfterDawn.com for short while today. The vulnerability was used to tamper specific files on our advertisement server, which caused advertisements fail to load. Advertisements are served from an isolated server, and no other AfterDawn services were affected at any stage.
The vulnerability is not in OpenX itself, but in an included component of Open Flash Chart 2. The vulnerability has been known for a long time but has not been patched to date. It's effects to OpenX and instructions for fixing and cleaning up after the issue are explained at kreativrauschen.com blog.

In our case the advertisement server simply broke down and delivered no advertisements at all. Access to the server caused Chrome to throw an "Error 330 (net::ERR_CONTENT_DECODING_FAILED): Unknown error" error while Firefox displayed "Content Encoding Error: The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression."

The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience.

-Jari Ketola
CTO, AfterDawn.com

Previous Next  

14 user comments

112.9.2010 7:22

and this is news how? The less ads the better imo.




MGR (Micro Gaming Rig) .|. Intel Q6600 @ 3.45GHz .|. Asus P35 P5K-E/WiFi .|. 4GB 1066MHz Geil Black Dragon RAM .|. Samsung F60 SSD .|. Corsair H50-1 Cooler .|. Sapphire 4870 512MB .|. Lian Li PC-A70B .|. Be Queit P7 Dark Power Pro 850W PSU .|. 24" 1920x1200 DGM (MVA Panel) .|. 24" 1920x1080 Dell (TN Panel) .|.

212.9.2010 7:28

Originally posted by shaffaaf:
and this is news how? The less ads the better imo.
In a way that

a) By changing the ad code dramatically, the ad server could go past all ad blocks.

b) People who got into the OpenX could start delivering auto-installing malware via some of the largest websites in the world.

...Luckily that didn't happen for us, they just managed to disable the ad server. But the vulnerability is there, without an official patch available.
This message has been edited since its posting. Latest edit was made on 12 Sep 2010 @ 7:34

Petteri Pyyny (pyyny@twitter)
Webmaster
http://AfterDawn.com/

312.9.2010 10:23

No ads? Aw what a shame. I mean it just sucked so bad actually having the freedom to move my mouse curser around wihtout fear of bringing up an ad by hovering over a certain key word or phrase. I realize these annoyances probably are what keep this from becoming a membership site but just the same, I wasn't shedding any tears with them gone.

412.9.2010 12:26

Originally posted by 5fdpfan:
No ads? Aw what a shame. I mean it just sucked so bad actually having the freedom to move my mouse curser around wihtout fear of bringing up an ad by hovering over a certain key word or phrase. I realize these annoyances probably are what keep this from becoming a membership site but just the same, I wasn't shedding any tears with them gone.
The ads you're talking about don't show up when you're logged in, as far as I know.

If I remember right, aD can't accept donations due to Finish law. Because of this they have to have ads in order to pay for the site's servers.
This message has been edited since its posting. Latest edit was made on 12 Sep 2010 @ 12:27

"The only people who should buy Monster cable are people who light cigars with Benjamins." - Gizmodo

512.9.2010 16:07

I'll never understand what all the bitching about ads on free services is about. Shut the hell up and ignore the ads if you don't want to see them. Servers don't pay for themselves. The internet isn't for free either. All the working that goes into a site like this require compensation. So either pay up or shut the hell up daft sack bags.
Tell me do you people whine like little bitch asses when you watching TV? Even some premium channels advertise so whats the prob huh nut sacks?????


XXYYQQOO!!! Yeah WELCOME TO JAMROCK

612.9.2010 17:03

This and other issues are reason Apple and others don't like flash. Flash from my experience has been of the lower end of the quality scale. Working for a large software company, we reported numerous vulnerability in in flash and they appeared to have an attitude "That is not our concern..."


712.9.2010 17:17

Will my Afterdawn account get hacked?


http://my.afterdawn.com/mik3h/blog_entry.cfm/1394 - Guides written by me.
http://www.adbuddies.org/ - Join us Live on IRC!

(Kudos to Ripper For The Beautiful Sig!)

812.9.2010 17:23

Originally posted by Mik3h:
Will my Afterdawn account get hacked?
The problem is most likely someone could exploit a cross site scripting vulnerability, depending on what your security settings are, ya you could easily be hacked. That is the problem with flash.

912.9.2010 18:32

Mik3h, Dude read the article. The attack was on their advertisement software which stated that the issue was on a isolated server and the main site was not touched. As it is i am sure there is a site backup done every 24 hours so don't worry about your account, if there is a problem it is just a matter of loading the tables and fixing the issue.

As for OpenX software itself, why would the developers leave such a opening for a peroid of time. Is it a dead project or are the developers lazy, as undeveloped as the internet is we still have a long way to go at this rate.

1012.9.2010 21:08

Originally posted by Zealousi:
Mik3h, Dude read the article. The attack was on their advertisement software which stated that the issue was on a isolated server and the main site was not touched. As it is i am sure there is a site backup done every 24 hours so don't worry about your account, if there is a problem it is just a matter of loading the tables and fixing the issue.

As for OpenX software itself, why would the developers leave such a opening for a peroid of time. Is it a dead project or are the developers lazy, as undeveloped as the internet is we still have a long way to go at this rate.
You, sure... yet another hole :(


AfterDawn: News
http://www.afterdawn.com/news/article.cf...der_and_acrobat

1113.9.2010 0:05

"The vulnerability has been known for a long time but has not been patched to date."

"The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience."

One of those statements must be wrong...how can you patch a vulnerability if it cannot be patched?

1213.9.2010 1:51

Originally posted by KillerBug:
"The vulnerability has been known for a long time but has not been patched to date."

"The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience."

One of those statements must be wrong...how can you patch a vulnerability if it cannot be patched?
Patching was done by the unofficial method of patching it, as per described in the kreativrauschen.com blog -- i.e. the OpenX team _still_ hasn't released an official patch to the problem, but it can be patched by other means.

Petteri Pyyny (pyyny@twitter)
Webmaster
http://AfterDawn.com/

1314.9.2010 21:20
mtodd78
Unverified new user

This issue has been resolved with 2.8.7. We encourage everyone running the downloadable version of OpenX to upgrade to the latest version. For more info, please visit http://blog.openx.org/09/security-update/

1417.9.2010 13:19

DRD is correct!

I think have been nailed twice by adds. Once for sure a year back and maybe once yesterday. You get a virus just by passing a mouse pointer over the add. I have 2 viral scanners and one spyware scanner and still I got something. Actually, the first time I only had 1 virus scanner. The first time the attack was obvious because it halted all operations and downloaded a bot-net virus to my computer. I knew I was being screwed tried to shut down services then resorted to turning off the computer. In retrospect, I should have pulled the plug.

Yesterday I did send out a virus bomb in an email. I don't know what happened so maybe it was an add or maybe not. I did find a popup box that should not have been able to popup. I figure something in an add may poped the window in a way FF did not detect and block it. The popup was where the virus was hiding but who knows. I am fairly sure I sent the bomb just before I found the popup. I couldn't find any trace of it when I scanned. The process left me scratching my head.

Comments have been disabled for this article.

News archive