OpenX fc.php MAX_type Parameter Traversal Local File Inclusion

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote web server contains a PHP script that is susceptible to a
local file include attack.

Description :

The remote host is running OpenX (formerly Openads), an open source ad
serving application written in PHP.

The installed version of OpenX does not validate user-supplied input
to the 'MAX_type' parameter of the 'www/delivery/fc.php' script before
using it in a PHP 'include()' function. Regardless of PHP's
'register_globals' setting, an unauthenticated attacker can exploit
this issue to view arbitrary files or possibly to execute arbitrary
PHP code on the remote host, subject to the privileges of the web
server user id.

See also :

http://secunia.com/secunia_research/2009-4/
http://www.securityfocus.com/archive/1/500408/30/0/threaded
http://www.securityfocus.com/archive/1/500411/30/0/threaded
https://developer.openx.org/jira/browse/OX-4817
http://www.openx.org/docs/2.6/release-notes/openx-2.6.4
http://www.securityfocus.com/archive/1/500568/30/0/threaded

Solution :

Upgrade to OpenX version 2.6.4 / 2.4.10 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 35557 ()

Bugtraq ID: 33458

CVE ID: CVE-2009-0291