

Using OpenX? Time to upgrade - Serious vulnerability found - sucuri2
http://blog.sucuri.net/2010/09/openx-users-time-to-upgrade.html

======
chrisbolt
I got bitten by this too, and when I discovered why I was livid.

[https://svn.openx.org/openx/tags/2.8/openx-2.8.6/plugins_rep...](https://svn.openx.org/openx/tags/2.8/openx-2.8.6/plugins_repo/openXVideoAds/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php)

This third party plugin is automatically installed and enabled by the
installer. No admin authentication, wide open access to upload and run PHP.

More details can be found at
[http://www.kreativrauschen.com/blog/2010/09/09/critical-
vuln...](http://www.kreativrauschen.com/blog/2010/09/09/critical-
vulnerability-in-openx-286-open-flash-chart-2/) and if
_www/admin/plugins/videoReport/lib/tmp-upload-images/_ exists, it's likely
your server has been compromised.

~~~
DJN
Dude, if u need a decent ad server as an alternative to OpenX, I'll suggest.
Trafficspaces.

I designed it and it's one of my proudest pieces of work (if I may say so
myself) :)

Warning: its a premium service

<http://www.trafficspaces.com/tour/>

~~~
johng
Looks neat but $99/month for 1M impressions ain't much. Overpriced IMHO.

Assuming $1 CPM, a site will be making $1000 off of that. Your taking a 10%
cut.

$100 should get you 50,000,000 impressions, at minimum.

~~~
DJN
Think about it this way, if you can segment your traffic into valuable niches
(e.g females, 18-30 in NYC, who are searching for shoes), you can sell your
traffic at a far higher CPM.

That's where Trafficspaces excels - ad targeting.

All impressions aren't equal so you shouldn't treat them as such. The key is
being able to unlock the value.

------
drtse4
Even if i had a limited experience with it this doesn't surprise me, i still
don't understand how big site can use or have used (list on openx site) this
script to manage their own ad network.

Lots of issues with the db and with the upgrade procedure, sometimes has weird
issues hard to identify and solve(i.e. things that stop working without any
apparent reason)... Maybe i'm too critic, but i felt it was just another
crappy php app.

~~~
troels
Notwithstanding that the code is a maze to find your way through.

------
bobds
This is particularly bad news when you couple it with the Flash vulnerability
that's gonna be open for a few weeks.

You exploit a couple big OpenX installs, put some Flash ads in there and
infect a whole lot of users.

On a sidenote, are there any less complex, preferably open-source,
alternatives to OpenX?

~~~
robotkad
As far as I know, there really isn't much out there when it comes to open-
source. There is OASIS (<http://oasis.sourceforge.net/>), but I don't think it
is in active development.

Personally, I'll be moving a couple of openx installs to Google DFP
(<http://www.google.com/dfp/info/sb/index.html>) in the next few days. I've
heard some good things about AdButler (<http://www.adbutler.com/>) but I have
yet to use it myself.

~~~
chopsueyar
Never heard of Google DFP. I wonder if the data lag is similair to Adwords.

The nice thing about OpenX was installing it on your own hardware.

Thanks for the links.

~~~
mtsmith85
We use DFP at VBM after switching from a hosted OpenX install. DFP suffers
from the lag, but in my experience, OpenX also exhibited lag (though not to
the same level.) It takes roughly 30 minutes to traffic ads, which is enough
time to be a pain in the rear... especially if you mess up the ad code.

~~~
chopsueyar
Good to know. Thank you.

------
johng
It's amazing to me that OpenX is trying to be looked at as a 'leader' in this
space and they even do hosted ads, but they can't keep their servers up for a
security patch release.

~~~
drtse4
As someone said below, alternatives are really limited, guess that's the
result of inexistent competition.

~~~
DJN
There are alternatives. Google 'em

[http://www.google.com/search?client=ms-
rim&hl=en&q=s...](http://www.google.com/search?client=ms-
rim&hl=en&q=self%20service%20ad%20manager&ie=UTF-8&oe=UTF-8&channel=browser)

------
sucuri2
Really bad, specially considering that openx.org has been offline for a while
and we are seeing many attacks in the wild.

~~~
JoelPM
OpenX is being DDOS'ed, that's why the site is down.

------
chopsueyar
Has OpenX been suffering from security vulnerabilities for awhile now?

~~~
bobf
Yes, it seems that over the past 6-12 months it has been one security
vulnerability after another with OpenX -- which is why I switched to Google
DFP 2 weeks ago.

------
chopsueyar
What would be needed to create a secure equivelent of OpenX in terms of
architecture and performance?

Is it more than a glorified image/snippet server and counter?

~~~
chrisbolt
It's slightly more complicated than that, and you'd probably have to work in
advertising to understand why.

Ad zones, campaign weighting, frequency caps, companion positioning, exclusive
campaigns, delivery limitations (language, user-agent, geographic targeting,
time of day, section), probability calculation, detailed statistics, and the
ability to give a client a login to view their own stats. These are just a few
of the features.

If all you need is a glorified image/snippet server and counter, you could
probably just write one.

~~~
DJN
I feel you bro. It is definitely complicated. I've got a few gray strands to
prove it whilst developing Trafficspaces (a SaaS ad manager).

It started as a hobby but once I got into it, I got sucked in by the challenge
of simplifying all that complexity.

For most people, the adserver is just the UI. The complex calculations, ad
targeting, and scalability issues are just abstracted away into the abyss.
Then there are those heidenbugs that occur at a frequency of 1 in a billion
transactions, which can consume your entire weekend! Grrrh!

I kinda feel sorry for OpenX though. Their codebase is probably unmanagable by
now. I'm sure their devs wish they could just throw it all away and start
afresh.

------
amalcon
Their main site is down. Anyone want to enlighten the rest of us about what
OpenX is? Something about ads, it seems; can anyone be more specific?

~~~
sachinag
It's an open source ad server.

~~~
amalcon
Fair enough; in that case, why would I use it instead of (say) nginx? Is it an
optimization thing or a logging thing?

~~~
whiskeyjack
Slight misunderstanding. It's a PHP webapp that is an ad server. Not a web
server. Having seen the codebase... it's evil.

------
johng
It's an adserver. Pretty simple.

