Researchers at security firm High-Tech Bridge uncovered a critical SQL injection vulnerability in a popular ad server.
The issue, which affects Orbit Open Ad Server version 1.1.0 and possibly previous versions, has been patched by OrbitScripts. Those users who have not applied it however are leaving themselves susceptible to a potentially serious vulnerability.
In a detailed advisory, High-Tech Bridge Security Research Lab revealed that the vulnerability could be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website.
“This is definitely a high-risk vulnerability,” said Ilia Kolochenko, CEO of High-Tech Bridge.
“It’s a blind SQL injection so its exploitation will require some skills from a hacker,” he added. “But nothing really complicated for an experienced hacker.”
Proof of concept attacks against the vulnerability can be seen here.
Because the application is used to manage ads on third-party sites, those sites could also have been affected and made to serve malware instead of legitimate ads, the CEO noted. Known as malvertising, this was among the fastest growing attack vectors in 2013, according to Symantec’s latest Internet Security Threat Report. When it is successful, it allows attackers to serve malicious ads on normally legitimate websites while bypassing any security mechanisms that are set up on the site because the content is coming from a third-party.
“As cybercriminals are increasing targeting the ad servicing ecosystem with increased precision and distribution of malvertising, it underscores the need for all stakeholders to work to secure their servers and operations,” said Craig Spiezle, executive director and president of the Online Trust Alliance. “Malvertising is a significant risk to the industry, publishers and most importantly consumers who are being unknowingly comprised when visiting legitimate web sites.”
According to Kolochenko, there is no evidence that the vulnerability was exploited in attack, but it is not possible to say for sure. High-Tech Bridge advises Web site administrators should update to the last version of Open Ad Server, version 1.1.1, which has the patch.