OpenX arbitrary file upload

Description

There is a vulnerability in the 2.8.5, 2.8.6 downloadable versions of OpenX that can result in a server running the downloaded version of OpenX being compromised. A remote attacker could use this functionality to upload and execute executable files on the system. To test this vulnerability, Acunetix WVS created a file named acunetix_test on the server. You will need to delete this file.

Remediation

It is recommended to update to OpenX version 2.8.7 or to delete the following file from the OpenX installation [openx_dir]/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

References