OpenX xajaxargs SQL injection vulnerability
Description
OpenX version 2.8.9 and potentially earlier versions contain a SQL injection vulnerability in the administrative interface. The vulnerability exists in the www/admin/updates-history.php file, where user-supplied input from the xajaxargs parameter is not properly sanitized before being used in SQL queries by functions such as queryAuditBackupTablesByUpgradeId() in lib/OA/Upgrade/DB_UpgradeAuditor.php. This allows unauthenticated attackers to inject arbitrary SQL commands into database queries when the xajax parameter is set to expandOSURow.
Remediation
Apply the following remediation steps immediately:
1. Upgrade OpenX: Update to version 2.8.10 or later, which addresses this vulnerability. Download the latest version from the official OpenX repository and follow the upgrade documentation.
2. Restrict Administrative Access: Until the upgrade is complete, limit access to the /www/admin/ directory to trusted IP addresses only using web server access controls.
3. Input Validation (if patching manually): If immediate upgrade is not possible, implement proper input sanitization by using parameterized queries. Ensure all user input passed to database queries is properly escaped:
// Use parameterized queries instead of string concatenation
$stmt = $db->prepare('SELECT * FROM table WHERE id = ?');
$stmt->bind_param('i', $sanitized_input);
$stmt->execute();
4. Monitor Logs: Review web server and database logs for suspicious activity, particularly requests to
updates-history.php with unusual xajaxargs parameters.5. Verify Integrity: After upgrading, verify database integrity and check for any unauthorized modifications or data exfiltration.