Sep 15, 2010 05:00 GMT  ·  By

A vulnerability in a component of the OpenX advertising platform has been exploited by hackers to tamper with ad serving on multiple websites including The Pirate Bay, eSarcasm and AfterDawn.

The affected component, called Open Flash Chart 2, is developed by a third party, but has been included by default in OpenX since last December.

The module allows visitor statistics to be displayed as graphic charts and the vulnerability is located in the ofc_upload_image.php script, which fails to properly validate uploaded files or the users uploading them.

According to Heise Media, the flaw was originally discovered a year ago by another open source project, which uses the same component, but it escaped the OpenX developers when deciding to integrate it.

As a result, hackers can leverage the bug to upload executable scripts and gain complete control of the servers.

This is what happened on several popular websites recently including the world's largest torrent tracker The Pirate Bay, AfterDawn and esarcasm.com.

The OpenX server used by The Pirate Bay was compromised with malicious ads, which served malware to the site's visitors.

The webmasters of eSarcasm.com had similar issues during the weekend with attackers gaining admin rights and tainting the ads with malicious JavaScript.

AfterDawn also confirmed the vulnerability in a Sunday blog post describing a compromise of its own OpenX server, which completely broke advertising operations on the website.

The OpenX developers have released a security update for the open source platform yesterday, which addresses this security issue.

"It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.

"We have already closed this vulnerability with the latest version of our software. To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7," they advise.