new openX exploit & recommended fix

[HunkyLuke]

a new exploit has been found in openX which allows hackers to create their own admin account. It was posted at http://blog.openx.org/05/security-up...penx-28-users/ along with these instructions:

A recent security issue with OpenX versions 2.8.0 - 2.8.8 means users of these versions of the platform should take the following steps:

1. Secure their servers by removing the files being exploited:

www/admin/account-settings-debug.php
www/admin/plugin-index.php
www/admin/plugin-settings.php
www/admin/admin-user.php

2. Removing these scripts will impact some of the user/plugin management systems, but will not affect existing users/plugins, and will not affect ad serving.

3. Replace the www/admin/dashboard.php file with the one in this archive so as to not break the login process.

Users can tell if they have been affected by this by checking for a rogue admin user named “openx-manager” in their UI at http://<your_admin_domain>/www/admin/admin-access.php

If the above user is found, it should be removed, and a full security audit should be performed.

We strongly encourage users to lock down their config file. Additionally, users should notify security@openx.com if they ever become aware of a security matter.

As we all know, its best to patch these things immediately before running into problems.

[Jay_StandAhead]

Fixed that this weekend... our custom IP restrictions saved our ass apparently!

[sc32803]

I use the free version of OpenX to feed some banners to my blogs so this would not effect me, correct? I don't recall ever loading their scripts on my server... I just include some code on my sites that they provide.