Popular ad server patches SQL injection flaw impacting platform

Share this article:
Popular ad server patches SQL injection flaw impacting platform
Orbit Open Ad Server was vulnerable to SQL injection attacks.

A popular ad serving and management platform, Orbit Open Ad Server, was impacted by a SQL injection vulnerability, which left website visitors' vulnerable to data theft.

Swiss penetration testing firm High-Tech Bridge notified OrbitScripts, the vendor for the ad platform, last month, and the issue was quickly addressed on March 21, High-Tech Bridge revealed in a security advisory. But, the security concern served as a cautionary tale of how attackers can cleverly use malvertising to go after large numbers of online users.

On Wednesday, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that, despite companies taking all the right steps to secure their websites, malvertising – which targets site visitors via poisoned third-party ads – can best enterprises.

SQL injection attacks could allow a saboteur to inject malicious code into applications, such as databases or other data entry fields, to leave financial or other sensitive information inputted on websites subject to theft.

In the case of Orbit Open Ad Server, the “damage could be really huge,” Kolochenko explained, as the SQL injection flaw could be leveraged to bypass platform users themselves, and go after the bigger bounty – online visitors of thousands of websites utilizing the open source ad server.

The software can be used to manage ads placed on various websites, including those operated via popular blogging platforms, like WordPress, Drupal and Joomla.

“You can make sure that the site is up-to-date, but as soon as you start hosting ads and put their content online, you cannot really control what they serve,” Kolochenko said. “Hackers can easily host spyware or malware, instead of legitimate [advertising] content, on your site.”

On Wednesday, a representative for OrbitScripts confirmed with SCMagazine.com via email that the SQL injection issue had been patched as of March 21.

Last fall, High-Tech Bridge also uncovered serious, but common, website vulnerabilities (XSS flaws) that impacted the security of Yahoo domains and NASDAQ's website.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.