Popular ad server patches SQL injection flaw impacting platform

Share this article:
Popular ad server patches SQL injection flaw impacting platform
Orbit Open Ad Server was vulnerable to SQL injection attacks.

A popular ad serving and management platform, Orbit Open Ad Server, was impacted by a SQL injection vulnerability, which left website visitors' vulnerable to data theft.

Swiss penetration testing firm High-Tech Bridge notified OrbitScripts, the vendor for the ad platform, last month, and the issue was quickly addressed on March 21, High-Tech Bridge revealed in a security advisory. But, the security concern served as a cautionary tale of how attackers can cleverly use malvertising to go after large numbers of online users.

On Wednesday, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that, despite companies taking all the right steps to secure their websites, malvertising – which targets site visitors via poisoned third-party ads – can best enterprises.

SQL injection attacks could allow a saboteur to inject malicious code into applications, such as databases or other data entry fields, to leave financial or other sensitive information inputted on websites subject to theft.

In the case of Orbit Open Ad Server, the “damage could be really huge,” Kolochenko explained, as the SQL injection flaw could be leveraged to bypass platform users themselves, and go after the bigger bounty – online visitors of thousands of websites utilizing the open source ad server.

The software can be used to manage ads placed on various websites, including those operated via popular blogging platforms, like WordPress, Drupal and Joomla.

“You can make sure that the site is up-to-date, but as soon as you start hosting ads and put their content online, you cannot really control what they serve,” Kolochenko said. “Hackers can easily host spyware or malware, instead of legitimate [advertising] content, on your site.”

On Wednesday, a representative for OrbitScripts confirmed with SCMagazine.com via email that the SQL injection issue had been patched as of March 21.

Last fall, High-Tech Bridge also uncovered serious, but common, website vulnerabilities (XSS flaws) that impacted the security of Yahoo domains and NASDAQ's website.

Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.