========================================================================
OpenX security advisory                                OPENX-SA-2009-001
------------------------------------------------------------------------
Advisory ID:           OPENX-SA-2009-001
Date:                  2009-Jan-30
Security risk:         Moderately critical
Applications affetced: OpenX
Versions affected:     <= 2.4.9, <= 2.6.3
Versions not affected: >= 2.4.10, >= 2.6.4
========================================================================


========================================================================
Multiple vulnerabilities: XSS, SQL inection, directory traversal
========================================================================

Description
-----------
A security review of OpenX 2.6.3 was recently being conducted on Openx
2.6.3 by Sarid Harper on behalf of Secunia and reported to us. One of
the vulnerabilities was also independently discovered by Charlie Briggs
and disclosed on milw0rm.com, forcing Secunia to publish the research
results before our fix releases were ready.

The review contains a list of 22 items for multiple vulnerabilities
ranging from XSS to SQL injection to directory traversal. Some are only
exploitable by authenticated users, others can be conducted by
unauthenticated users.

All the the items were fixed in OpenX 2.6 and backported to 2.4 when
applicable. New versions of both OpenX 2.6 and 2.4 have been released.

Solution
--------
 - Upgrade to OpenX 2.4.10 or 2.6.4

References
----------
 - http://secunia.com/advisories/32197/
 - http://www.milw0rm.com/exploits/7883
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0291

Timeline
--------
2009-Jan-20: Secunia reported the security review results to OpenX
2009-Jan-20: OpenX started investigation and scheduled the fixes
             according to the company release plans
2009-Jan-26: the fc.php MAX_type vulnerability was independently
             discovered and disclosed
2009-Jan-27: an OpenX user reported the link to our forums
2009-Jan-27: Secunia was forced to disclose the entire review
2009-Jan-29: OpenX 2.4.10 and 2.6.4 were released by OpenX


Contact informations
====================

The security contact for OpenX can be reached at:
<security AT openx DOT org>


Best regards

-- 
Matteo Beccati

OpenX - http://www.openx.org