Blog

OpenX Exploit

If you’re running the openX ad server and you’re not running the latest version, I’d recommend doing an upgrade asap. There is a pretty bad exploit available and it’s already hitting some big sites.

The exploit is done via the Open Flash Chart 2 module. There is no check in place to make sure users should be uploading the files in that directory. If you can’t upgrade at this time then what you’ll want to do is delete admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php if you don’t use the module. Most people don’t use the module, and even if you do, I’d delete it anyway until you can upgrade.

There are a variety of ways to exploit this, but one thing you can check is look inside your admin/plugins/videoReport/lib/tmp-upload-images directory. If you see some sort of .php script in there, that’s a bad sign.

We’ve already patched 3 client servers that have had a php shell script uploaded into that directory.

An update on this. Just updating your version isn’t going to fix your problem if you’ve already been exploited. You’ll want to check the append/prepend for all of your banners and zones, since more than likely they’ve been noodling around in there to cause problems. You can look at your audit log to see if that’s happened.

Tags: , ,

Run a PHP script in the background with AJAX & YUI

There are times when you want to run a PHP script in the background, something that is triggered by a user, but you don’t want them to have to wait for it to complete. A couple ways to accomplish this, but I’ll focus on one in particular. That’s making an asynchronous call using AJAX.

It’s pretty simple actually. The first thing is in your script that you want to run in the background, you need to make sure it runs long enough to complete, and that also it won’t die when the connection is aborted. So, at the top of this PHP script, you’ll want to add these 2 lines:

Now for how to actually get that script running in the background. We’ll be using javascript and taking advantage of the YUI library since it makes it particularly easy.

Basically, what happens is an async call is made to the script, and then the connection is aborted, so the script continues to run and the user can go on doing whatever they want. The key is you don’t want to abort the connection too fast. If it’s aborted right after it’s made the script won’t even have time to start. So, we need to give it a couple seconds before actually aborting. Here’s the javascript for this:

[javascript]
<script src="http://yui.yahooapis.com/2.8.0r4/build/yahoo/yahoo-min.js"></script>
<script src="http://yui.yahooapis.com/2.8.0r4/build/event/event-min.js"></script>
<script src="http://yui.yahooapis.com/2.8.0r4/build/connection/connection_core-min.js"></script>
<script type="text/javascript">
var spawnCallback = {
success: function(o) {
},
failure: function(o) {
},
timeout: 2000
};

function spawnProcess() {
YAHOO.util.Connect.asyncRequest(‘GET’,'url/to/script.php’,spawnCallback);
}
</script>
[/javascript]

And that’s about it. Then you just need to call the spawnProcess() function and it will trigger your designated PHP script which will run in the background until finished.

Tags: , , ,