Popular ad server patches SQL injection flaw impacting platform

Share this article:
Popular ad server patches SQL injection flaw impacting platform
Orbit Open Ad Server was vulnerable to SQL injection attacks.

A popular ad serving and management platform, Orbit Open Ad Server, was impacted by a SQL injection vulnerability, which left website visitors' vulnerable to data theft.

Swiss penetration testing firm High-Tech Bridge notified OrbitScripts, the vendor for the ad platform, last month, and the issue was quickly addressed on March 21, High-Tech Bridge revealed in a security advisory. But, the security concern served as a cautionary tale of how attackers can cleverly use malvertising to go after large numbers of online users.

On Wednesday, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that, despite companies taking all the right steps to secure their websites, malvertising – which targets site visitors via poisoned third-party ads – can best enterprises.

SQL injection attacks could allow a saboteur to inject malicious code into applications, such as databases or other data entry fields, to leave financial or other sensitive information inputted on websites subject to theft.

In the case of Orbit Open Ad Server, the “damage could be really huge,” Kolochenko explained, as the SQL injection flaw could be leveraged to bypass platform users themselves, and go after the bigger bounty – online visitors of thousands of websites utilizing the open source ad server.

The software can be used to manage ads placed on various websites, including those operated via popular blogging platforms, like WordPress, Drupal and Joomla.

“You can make sure that the site is up-to-date, but as soon as you start hosting ads and put their content online, you cannot really control what they serve,” Kolochenko said. “Hackers can easily host spyware or malware, instead of legitimate [advertising] content, on your site.”

On Wednesday, a representative for OrbitScripts confirmed with SCMagazine.com via email that the SQL injection issue had been patched as of March 21.

Last fall, High-Tech Bridge also uncovered serious, but common, website vulnerabilities (XSS flaws) that impacted the security of Yahoo domains and NASDAQ's website.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.