14 DAY TRIAL // Experts from the High-Tech Bridge Security Research Lab have identified multiple vulnerabilities in OpenX, the popular advertising platform. The flaws can be exploited to execute arbitrary PHP code, launch cross-site scripting (XSS) attacks and compromise affected systems.
The first vulnerability is a Local File Inclusion (LFI) issue that can be exploited by an attacker that has administrative privileges, or by tricking a logged-in OpenX administrator to open a malicious web page that triggers a Cross-Site Request Forgery (CSRF) exploit code.
Experts have also discovered a couple of XSS vulnerabilities that can be leveraged by a remote attacker to get administrators to execute arbitrary code by tricking them into opening a specially crafter link.
The vulnerabilities, which affect Open X 2.8.10 and probably older versions, were reported to the vendor on May 8. They were addressed last week.
Additional technical details and patches are available here.