Researchers at security firm High-Tech Bridge uncovered a critical SQL injection vulnerability in a popular ad server.
The issue, which affects Orbit Open Ad Server version1.1.0 and possibly previous versions, has been patched by OrbitScripts.Those users who have not applied it however are leaving themselves susceptible to a potentially serious vulnerability.
In a detailed advisory, High-Tech Bridge Security Research Lab revealed that the vulnerability could be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.
“This is definitely a high-risk vulnerability,” said Ilia Kolochenko, CEO of High-Tech Bridge.
“It’s a blind SQL injection so its exploitation will require some skills from a hacker,” he added. “But nothing really complicated for an experienced hacker.”
Proof of concept attacks against the vulnerability can be seen here.
Because the application is used to manage ads on third-party sites, those sites could also have been affected and made to serve malware instead of legitimate ads, the CEO noted. Known as malvertising,this was among the fastest growing attack vectors in 2013, according to Symantec’s latest Internet Threat Report. When it is successful, it allows attackers to serve malicious ads on normally legitimate websites while bypassing any security mechanisms that are set up on the site because the content is coming from a third-party.
“As cybercriminals are increasing targeting the ad servicing ecosystem with increased precision and distribution of malvertising, it underscores the need for all stakeholders to work to secure their servers and operations,” said Craig Spiezle, executive director and president of the Online Trust Alliance. “Malvertising is a significant risk to the industry, publishers and most importantly consumers who are being unknowingly comprised when visiting legitimate web sites.”
According to Kolochenko, there is no evidence that the vulnerability was exploited in attack, but it is not possible to say for sure.High-Tech Bridge advisesWeb site administrators should update to the last version of Open Ad Server, version 1.1.1, which has the patch.
Tweet
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Orbit Open Ad Server Security Hole ClosedMcAfee Outlines Strategy for Securing Internet of Things Spear Phishing Hooked Businesses Big and Small in 2013: Symantec Report Microsoft Patch Tuesday Fixes Critical Bugs as Sun Sets on Windows XPOpenSSL Heartbleed Bug Leaks Sensitive Data
sponsored links
Tags: NEWS INDUSTRY
Vulnerabilities
