[Owasp-board] Banner Ads

Matt Tesauro matt.tesauro at owasp.org
Fri Jul 16 03:08:13 UTC 2010


I'm not sure what version is installed on ads.owasp.org but looking at 
the OpenX site, it would appear the latest addresses known 
vulnerabilities.  The latest is 2.8.5.  However, that's so new the 
latest release notes are for 2.8.4:
http://www.openx.org/docs/2.8/release-notes/openx-2.8.4

http://www.openx.org/docs/2.8/release-notes/openx-2.8.5 => 404's

Download the latest here:
http://www.openx.org/en/ad-server/download

According to the latest reports on Secunia, if we run the latest, we're 
patched for all known vulnerabilities:
http://secunia.com/advisories/product/4585/

There's another vulnerability reported in the OSVDB:
http://osvdb.org/show/osvdb/64887

According to the posting on bugtrag:
http://seclists.org/bugtraq/2010/Mar/118
there's a XSS in banner.swf using the parameter clickTAG.  If this is 
the vulnerability you're referencing, then I didn't find explicit info 
that this was fixed in 2.8.5.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/15/10 9:46 PM, Laurence Casey wrote:
> At the time, it was better to not allow banners to be clicked since a
> vulnerability was present. OpenX has released another update that may fix
> the issue. Can you somebody please confirm that this has been fixed? I have
> enable the links again for testing.
>
> Thanks
>
> --Larry
>
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan -
> OWASP
> Sent: Thursday, July 15, 2010 8:00 PM
> To: Kate Hartmann
> Cc: OWASP Foundation Board List; alison at owasp.org; 'Laurence Casey'
> Subject: Re: [Owasp-board] Banner Ads
>
> This is terrible and egg on our face as a appsec org, the purpose of it is
> to run ads with links to content and drive advertising.
>
>
> ------Original Message------
> From: Kate Hartmann
> To: 'Tom Brennan'
> Cc: alison at owasp.org
> Cc: Jeff Jeff.Williams at Owasp.Org
> Cc: 'Laurence Casey'
> Subject: RE: Banner Ads
> Sent: Jul 15, 2010 7:52 PM
>
> There is a problem with Open X (the advertising program used to run the
> ads).  It has been this way for several months, and as far as I know there
> are not any pending fixes or upgrades.
>
> Kate Hartmann
> OWASP Operations Director
> 9175 Guilford Road
> Suite 300
> Columbia, MD  21046
>
> 301-275-9403
> kate.hartmann at owasp.org
> Skype:  kate.hartmann1
>
>
> -----Original Message-----
> From: Tom Brennan [mailto:tomb at owasp.org]
> Sent: Thursday, July 15, 2010 3:50 PM
> To: Kate Hartmann
> Cc: alison at owasp.org
> Subject: Banner Ads
>
> How come the banner ad's do not link to the website that they are promoting?
>
>
>
> Semper Fi,
>
> Tom Brennan
> OWASP Foundation Inc.
> Tel: (973)506-9303
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list