It has been a little over six months since the software formerly known as OpenX changed hands and became Revive Adserver. We thought now would be a good chance to look at an important improvement that has occurred and pretty serious problem that has popped up.
Before we get to that we should note that anyone still running OpenX should upgrade as soon as possible as Revive Adserver has fixed several security vulnerabilities. Other than the bug we will get to later in the post, the upgrade should be rather seamless.
The story of the later years of OpenX was a series of security problems and a lack of concern for security that lead to at least some of those problems. In one instance their systems were breached and someone was able to modify the OpenX downloads so that malicious code was included. In another their systems were breached and used in conjunction with a vulnerability in OpenX, that the OpenX developers had been warned about, to gain access to individual OpenX installations. Another ongoing issue was that OpenX was not releasing the details of what changes were being made in releases. Doing this is important when security vulnerabilities are fixed as it allows others to double check that the issue has been resolved and it also helps people cleaning up hacked ad servers (like us) to know if the vulnerability that was exploited is an old vulnerability that has been fixed or a new vulnerability that would need to be reported to the developer to get fixed.
So far the people behind Revive Adserver have been handling things much better. For the last security vulnerability found in the software, which existed long before it became Revive Adserver, it was promptly fixed and a security advisory with details of it was released.
Our own experience with reporting a security issue to the OpenX and Revive Adserver teams showed the dramatic difference between the two. In June of 2012 a vulnerability was discovered in the XmlRpc component of the Zend Framework. Shortly afterward we sent an email to OpenX’s security address alerting them to the vulnerability in the component, which was included OpenX. We never heard anything back from them and the vulnerable component was never fixed. After the software became Revive Adserver we remembered the issue and decided to try reporting the issue again. Not only did we get a prompt response, but it was clear that they had actually looked into the scope of the vulnerability. As the components were no longer used in Revive Adserver the only way the vulnerability could be exploited is if a plugin used them. To resolve the issue they removed those components in the next release of Revive Adserver, 3.0.3.
A Serious Bug Unfixed
The latest release of Revive Adserver, 3.0.3, has a serious bug that causes new statistics data to stop showing up. Since statistics are important function of the ad server this is something that should have been promptly fixed, but about three weeks later it hasn’t. There were a couple of threads started on their forum (one of which is currently labeled as being HOT) shortly after the release raising the issue and identifying the problem. There were then a couple of bug reports filed, which were closed with a developer directing people to the forum. The latest bug report was filed a week ago and has yet to receive a response from the developers. This situation seems to indicate that improvements could be made in the handling of bug reports and that better pre-release testing might be needed, so that this type of bug can be spotted before it gets into a released version.
For those waiting on an official fix, the easiest way to resolve this for now is to go to the file /lib/RV.php and change the line:
require_once RV_PATH . '/lib/pear/PEAR.php';
We have recently gotten a number of questions about how much disruption upgrading from OpenX to the new Revive Adserver causes and as other undoubtedly have the same questions we wanted to address those for a wider audience. The good news is that the upgrade should be seamless in most instances. While the software has new name – due to ownership of the software being transferred – and a jump in version number from 2.8 to 3.0, the changes so far have been under the hood. This means that you won’t have to make changes to zones, campaigns, banners, ad positions, etc.
Two of the releases of Revive Adserver (3.0.0 and 3.0.2) have fixed security vulnerabilities that could lead to the ad server being hacked, so if you haven’t upgrading yet you should do that as soon as possible. There have also been bug fixes and modernization, including support for PHP 5.4 and 5.5, included in the new versions so far.
If you have previously done an upgrade between versions of OpenX 2.8 then you should find the process to be the same when upgrading to Revive Adserver.
So far the only issue we have run in to with the upgrade is that in one instance the upgrade failed to remove the OpenX Market plugin, which had been deprecated. The failure to remove that caused the admin interface to not work due to a Failed Opening Required error for the file /lib/ox/m2M/xmlrpcexecutor.php. If that occurs you can delete the /www/admin/plugins/oxMarket/ directory allowing access to the admin interface where you can fully remove the plugin and the openXWorkflow plugin, which should also have been removed.
If you are looking for someone to handle the upgrade for you, we can do a one-time upgrade for you or we can handle upgrades on an ongoing basis for you (insuring that you always get security fixes applied within a day of their release).
Earlier this week it was discovered that the downloads of OpenX 2.8.10 had been modified at some point to include malicious code that allowed remote code execution. OpenX’s blog post about the incident starts with the claim that “OpenX takes security seriously.”. This isn’t the first time they have claimed that in a blog post (that previous blog post has the dubious distinction of being the third post named Security Matters on their blog). The claim that they take security seriously is hard to square with what happened in this instance, especially in light of previous events. Unlike the issues mentioned in those previous blog posts, which involved unintentional security vulnerabilities, in this case someone was able to gain access to OpenX’s website and modify files on the website to include malicious code without being detected by them. It only came to light that the files had been modified after the vulnerability added to the download was being actively exploited.
That isn’t something that should happen and it would be a big red flag that security isn’t taken seriously if it had only happened once. But this doesn’t seem to be the first time that OpenX’s website has been breached. It appears that their website was previously breached and used to exploit OpenX ad servers in April of last year. OpenX 2.8.10 wasn’t released until September of last year, so this most recent issue would have come either from a subsequent breach or from them not shutting off access after the first breach was detected.
Their post emphasizes that their other products were not impacted by the vulnerability in the downloads, but considering they were breached and didn’t detect it, it reasonable to be concerned that the breach may have reached other parts of their systems. Their post gives no indication that they made any check to insure that is the case.
The claim that they take security seriously is even harder to believe in light of the fact that they fail to take basic security measures with their website even after having their website breached at least twice. This can be seen by their use of an outdated version of WordPress on the very blog were they are claiming to take security seriously:
WordPress 3.4.1 is eleven months out of date and there have been three updates with security fixes released (3.4.2, 3.5.1, and 3.5.2). The announcement for 3.5.2, released on June 21, included this message, which OpenX has ignored:
This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress is very easy to update, so if they can’t manage to do that it seems likely that they are failing to take other more complicated security measures that need to be taken when a website is being targeted, as theirs has been.
OpenX Ignores Security Issue
Back in July of last year we sent an email to OpenX’s security email address to inform that there was a vulnerability in the Zend Framework that ships with OpenX. We never heard anything back from them and the vulnerable file has not been updated in OpenX.