Vulnerability in OpenX advertisement server - AfterDawn's ads affected as well

Written by Jari Ketola @ 12 Sep 2010 6:40 User comments (14)

There is an un-patched vulnerability in OpenX advertisement server that affected the advertisement delivery at AfterDawn.com for short while today. The vulnerability was used to tamper specific files on our advertisement server, which caused advertisements fail to load. Advertisements are served from an isolated server, and no other AfterDawn services were affected at any stage.

The vulnerability is not in OpenX itself, but in an included component of Open Flash Chart 2. The vulnerability has been known for a long time but has not been patched to date. It's effects to OpenX and instructions for fixing and cleaning up after the issue are explained at kreativrauschen.com blog.

In our case the advertisement server simply broke down and delivered no advertisements at all. Access to the server caused Chrome to throw an "Error 330 (net::ERR_CONTENT_DECODING_FAILED): Unknown error" error while Firefox displayed "Content Encoding Error: The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression."

The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience.

-Jari Ketola
CTO, AfterDawn.com

<iPhone owners have more apps than Android, BlackBerry >PSP emulator for the PS3 in the works

14 user comments

112.9.2010 07:22

shaffaaf

Send private message to this user

AfterDawn Addict

and this is news how? The less ads the better imo.

212.9.2010 07:28

dRD

Send private message to this user

I hate titles

Originally posted by shaffaaf:
and this is news how? The less ads the better imo.

In a way that

a) By changing the ad code dramatically, the ad server could go past all ad blocks.

b) People who got into the OpenX could start delivering auto-installing malware via some of the largest websites in the world.

...Luckily that didn't happen for us, they just managed to disable the ad server. But the vulnerability is there, without an official patch available.

This message has been edited since its posting. Latest edit was made on 12 Sep 2010 @ 7:34

312.9.2010 10:23

5fdpfan

Send private message to this user

Member

No ads? Aw what a shame. I mean it just sucked so bad actually having the freedom to move my mouse curser around wihtout fear of bringing up an ad by hovering over a certain key word or phrase. I realize these annoyances probably are what keep this from becoming a membership site but just the same, I wasn't shedding any tears with them gone.

412.9.2010 12:26

Pop_Smith

Send private message to this user

Senior Member

Originally posted by 5fdpfan:
No ads? Aw what a shame. I mean it just sucked so bad actually having the freedom to move my mouse curser around wihtout fear of bringing up an ad by hovering over a certain key word or phrase. I realize these annoyances probably are what keep this from becoming a membership site but just the same, I wasn't shedding any tears with them gone.

The ads you're talking about don't show up when you're logged in, as far as I know.

If I remember right, aD can't accept donations due to Finish law. Because of this they have to have ads in order to pay for the site's servers.

This message has been edited since its posting. Latest edit was made on 12 Sep 2010 @ 12:27

512.9.2010 16:07

xyqo

Send private message to this user

Senior Member

I'll never understand what all the bitching about ads on free services is about. Shut the hell up and ignore the ads if you don't want to see them. Servers don't pay for themselves. The internet isn't for free either. All the working that goes into a site like this require compensation. So either pay up or shut the hell up daft sack bags.
Tell me do you people whine like little bitch asses when you watching TV? Even some premium channels advertise so whats the prob huh nut sacks?????

612.9.2010 17:03

SomeBozo

Send private message to this user

Member

This and other issues are reason Apple and others don't like flash. Flash from my experience has been of the lower end of the quality scale. Working for a large software company, we reported numerous vulnerability in in flash and they appeared to have an attitude "That is not our concern..."

712.9.2010 17:17

Mik3h

Send private message to this user

AfterDawn Addict

Will my Afterdawn account get hacked?

812.9.2010 17:23

SomeBozo

Send private message to this user

Member

Originally posted by Mik3h:
Will my Afterdawn account get hacked?

The problem is most likely someone could exploit a cross site scripting vulnerability, depending on what your security settings are, ya you could easily be hacked. That is the problem with flash.

912.9.2010 18:32

Zealousi

Send private message to this user

Member

Mik3h, Dude read the article. The attack was on their advertisement software which stated that the issue was on a isolated server and the main site was not touched. As it is i am sure there is a site backup done every 24 hours so don't worry about your account, if there is a problem it is just a matter of loading the tables and fixing the issue.

As for OpenX software itself, why would the developers leave such a opening for a peroid of time. Is it a dead project or are the developers lazy, as undeveloped as the internet is we still have a long way to go at this rate.

1012.9.2010 21:08

SomeBozo

Send private message to this user

Member

Originally posted by Zealousi:
Mik3h, Dude read the article. The attack was on their advertisement software which stated that the issue was on a isolated server and the main site was not touched. As it is i am sure there is a site backup done every 24 hours so don't worry about your account, if there is a problem it is just a matter of loading the tables and fixing the issue.

As for OpenX software itself, why would the developers leave such a opening for a peroid of time. Is it a dead project or are the developers lazy, as undeveloped as the internet is we still have a long way to go at this rate.

You, sure... yet another hole :(

AfterDawn: News
http://www.afterdawn.com/news/article.cf...der_and_acrobat

1113.9.2010 00:05

KillerBug

Send private message to this user

AfterDawn Addict

"The vulnerability has been known for a long time but has not been patched to date."

"The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience."

One of those statements must be wrong...how can you patch a vulnerability if it cannot be patched?

1213.9.2010 01:51

dRD

Send private message to this user

I hate titles

Originally posted by KillerBug:
"The vulnerability has been known for a long time but has not been patched to date."

"The server has now been re-installed, the vulnerability fixed and all traces of tampering removed. We apologize for any inconvenience."

One of those statements must be wrong...how can you patch a vulnerability if it cannot be patched?

Patching was done by the unofficial method of patching it, as per described in the kreativrauschen.com blog -- i.e. the OpenX team _still_ hasn't released an official patch to the problem, but it can be patched by other means.

1314.9.2010 21:20

mtodd78

Unverified new user

This issue has been resolved with 2.8.7. We encourage everyone running the downloadable version of OpenX to upgrade to the latest version. For more info, please visit http://blog.openx.org/09/security-update/

1417.9.2010 13:19

Mez

Send private message to this user

AfterDawn Addict

DRD is correct!

I think have been nailed twice by adds. Once for sure a year back and maybe once yesterday. You get a virus just by passing a mouse pointer over the add. I have 2 viral scanners and one spyware scanner and still I got something. Actually, the first time I only had 1 virus scanner. The first time the attack was obvious because it halted all operations and downloaded a bot-net virus to my computer. I knew I was being screwed tried to shut down services then resorted to turning off the computer. In retrospect, I should have pulled the plug.

Yesterday I did send out a virus bomb in an email. I don't know what happened so maybe it was an add or maybe not. I did find a popup box that should not have been able to popup. I figure something in an add may poped the window in a way FF did not detect and block it. The popup was where the virus was hiding but who knows. I am fairly sure I sent the bomb just before I found the popup. I couldn't find any trace of it when I scanned. The process left me scratching my head.

Comments have been disabled for this article.

	VLC hits milestone: over 5 billion downloads (16 Mar 2024 4:31) VLC Media Player, the versatile video-software powerhouse, has achieved a remarkable feat: it has been downloaded over 5 billion times. 1 user comment
	Sideloading apps to Android gets easier, as Google settles its lawsuit (19 Dec 2023 11:09) Google settled its lawsuit in September 2023, and one of the settlement terms was that the way applications are installed on Android from outside the Google Play Store must become simpler. In the future, installing APK files will be easier. 8 user comments
	Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets (06 Jun 2023 9:19) Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.
	Neato, the robot vacuum company, ends its operations (02 May 2023 3:38) Neato Robotics has ceased its operations. American robot vacuum pioneer founded in 2005 has finally called it quits and company will cease its operations and sales. Only a skeleton crew will remain who will keep the servers running until 2028. 5 user comments
	How to Send Messages to Yourself on WhatsApp (20 Mar 2023 1:25) The world's most popular messaging platform, Meta-owned WhatsApp has enabled sending messages to yourself. While at first, this might seem like an odd feature, it can be very useful in a lot of situations. .... 18 user comments

	Windows 11: Check if TPM is enabled on your computer In this short guide we will look at how you can check the status of Trusted Platform Module (TPM) on your PC ahead of the coming launch of Windows 11.
	GUIDE: Wi-Fi speeds are slow? Here are some tips Having problems with Wi-Fi speed and stability at home? Here are some tips to follow to alleviate the issues. 1 user comment
	HOWTO: Install Netflix App on rooted Android device 'This app is no longer compatible with your device. Contact the developers for more info.' If you are getting this message from Google Play when trying to install Netflix, then maybe this little guide can help you.
	Guide: Phone battery drains quickly - how to fix (iPhone / Android) In this guide, we go through the most typical reasons for rapid battery drain with phones, and look at potential reasons or solutions.
	What happens if you don't update Android? Sometimes it can be tempting to avoid updating to a new Android version. What happens if you decide to delay major updates to the OS?

Vulnerability in OpenX advertisement server - AfterDawn's ads affected as well

14 user comments

Latest news

Reviews

Guides

News archive

Subscribe

Sections:

Follow us:

	Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.
	Review: Samsung Jet Bot 90 AI+ - a high-end robot vacuum cleaner Samsung's Jet Bot 90 AI+ is a top-class robot vacuum cleaner that can avoid obstacles and empty its own dust container. Here we review the product. 1 user comment
	Samsung Jet Bot 80+ review - excellent robot vacuum cleaner We review Samsung's Jet Bot 80+ robot vacuum cleaner over a period of three months. 1 user comment