Researchers at security firm High-Tech Bridge uncovered a critical SQL injection vulnerability in a popular ad server.
The issue, which affects Orbit Open Ad Server version 1.1.0 and possibly previous versions, has been patched by OrbitScripts. Those users who have not applied it however are leaving themselves susceptible to a potentially serious vulnerability.
In a detailed advisory, High-Tech Bridge Security Research Lab revealed that the vulnerability could be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.
“This is definitely a high-risk vulnerability,” said Ilia Kolochenko, CEO of High-Tech Bridge.
“It’s a blind SQL injection so its exploitation will require some skills from a hacker,” he added. “But nothing really complicated for an experienced hacker.”
Proof of concept attacks against the vulnerability can be seen here.
Because the application is used to manage ads on third-party sites, those sites could also have been affected and made to serve malware instead of legitimate ads, the CEO noted. Known as malvertising, this was among the fastest growing attack vectors in 2013, according to Symantec’s latest Internet Security Threat Report. When it is successful, it allows attackers to serve malicious ads on normally legitimate websites while bypassing any security mechanisms that are set up on the site because the content is coming from a third-party.
“As cybercriminals are increasing targeting the ad servicing ecosystem with increased precision and distribution of malvertising, it underscores the need for all stakeholders to work to secure their servers and operations,” said Craig Spiezle, executive director and president of the Online Trust Alliance. “Malvertising is a significant risk to the industry, publishers and most importantly consumers who are being unknowingly comprised when visiting legitimate web sites.”
According to Kolochenko, there is no evidence that the vulnerability was exploited in attack, but it is not possible to say for sure. High-Tech Bridge advises Web site administrators should update to the last version of Open Ad Server, version 1.1.1, which has the patch.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
