OpenX arbitrary file upload

Description
  • There is a vulnerability in the 2.8.5, 2.8.6 downloadable versions of OpenX that can result in a server running the downloaded version of OpenX being compromised. A remote attacker could use this functionality to upload and execute executable files on the system. To test this vulnerability, Acunetix created a file named <strong><span class="bb-dark">acunetix_test</span></strong> on the server. You will need to delete this file.
Remediation
  • It is recommended to update to OpenX version 2.8.7 or to delete the following file from the OpenX installation <strong><span class="bb-dark">[openx_dir]/www/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php</span></strong>
References