[Owasp-board] Banner Ads

Laurence Casey larry.casey at owasp.org
Mon Jul 19 20:48:11 UTC 2010


Tom,

The ad software still has the bug and will require some assistance from the
php community to fix it. I think links should be disabled until fixed. The
problem is simple, but would require a significant change in the
architecture to fix.

Here is the problem. The software requires the destination address to be
embedded in the url. Link below.
http://ads.owasp.org/www/delivery/ck.php?oaparams=2__bannerid=42__zoneid=2__
cb=955717f46f__oadest=http%3A%2F%2Fddifrontline.com

We need a php developer to take a look see.

Thanks

--Larry


-----Original Message-----
From: Laurence Casey [mailto:larry.casey at aspectsecurity.com] 
Sent: Friday, July 16, 2010 8:34 AM
To: Matt Tesauro; Laurence Casey
Cc: tomb at owasp.org; Kate Hartmann; OWASP Foundation Board List;
alison at owasp.org
Subject: RE: [Owasp-board] Banner Ads

Matt,

Thanks for the info. I installed that latest and greatest last night. We are
using 2.8.5.

--Larry

-----Original Message-----
From: Matt Tesauro [mailto:matt.tesauro at owasp.org]
Sent: Thursday, July 15, 2010 11:08 PM
To: Laurence Casey
Cc: tomb at owasp.org; Kate Hartmann; 'OWASP Foundation Board List';
alison at owasp.org; Laurence Casey
Subject: Re: [Owasp-board] Banner Ads

I'm not sure what version is installed on ads.owasp.org but looking at the
OpenX site, it would appear the latest addresses known vulnerabilities.  The
latest is 2.8.5.  However, that's so new the latest release notes are for
2.8.4:
http://www.openx.org/docs/2.8/release-notes/openx-2.8.4

http://www.openx.org/docs/2.8/release-notes/openx-2.8.5 => 404's

Download the latest here:
http://www.openx.org/en/ad-server/download

According to the latest reports on Secunia, if we run the latest, we're
patched for all known vulnerabilities:
http://secunia.com/advisories/product/4585/

There's another vulnerability reported in the OSVDB:
http://osvdb.org/show/osvdb/64887

According to the posting on bugtrag:
http://seclists.org/bugtraq/2010/Mar/118
there's a XSS in banner.swf using the parameter clickTAG.  If this is the
vulnerability you're referencing, then I didn't find explicit info that this
was fixed in 2.8.5.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/15/10 9:46 PM, Laurence Casey wrote:
> At the time, it was better to not allow banners to be clicked since a 
> vulnerability was present. OpenX has released another update that may 
> fix the issue. Can you somebody please confirm that this has been 
> fixed? I have enable the links again for testing.
>
> Thanks
>
> --Larry
>
> -----Original Message-----
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Tom Brennan
> - OWASP
> Sent: Thursday, July 15, 2010 8:00 PM
> To: Kate Hartmann
> Cc: OWASP Foundation Board List; alison at owasp.org; 'Laurence Casey'
> Subject: Re: [Owasp-board] Banner Ads
>
> This is terrible and egg on our face as a appsec org, the purpose of 
> it is to run ads with links to content and drive advertising.
>
>
> ------Original Message------
> From: Kate Hartmann
> To: 'Tom Brennan'
> Cc: alison at owasp.org
> Cc: Jeff Jeff.Williams at Owasp.Org
> Cc: 'Laurence Casey'
> Subject: RE: Banner Ads
> Sent: Jul 15, 2010 7:52 PM
>
> There is a problem with Open X (the advertising program used to run 
> the ads).  It has been this way for several months, and as far as I 
> know there are not any pending fixes or upgrades.
>
> Kate Hartmann
> OWASP Operations Director
> 9175 Guilford Road
> Suite 300
> Columbia, MD  21046
>
> 301-275-9403
> kate.hartmann at owasp.org
> Skype:  kate.hartmann1
>
>
> -----Original Message-----
> From: Tom Brennan [mailto:tomb at owasp.org]
> Sent: Thursday, July 15, 2010 3:50 PM
> To: Kate Hartmann
> Cc: alison at owasp.org
> Subject: Banner Ads
>
> How come the banner ad's do not link to the website that they are
promoting?
>
>
>
> Semper Fi,
>
> Tom Brennan
> OWASP Foundation Inc.
> Tel: (973)506-9303
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site




More information about the Owasp-board mailing list