30 comments

[ 11.3 ms ] story [ 103 ms ] thread
This is particularly bad news when you couple it with the Flash vulnerability that's gonna be open for a few weeks.

You exploit a couple big OpenX installs, put some Flash ads in there and infect a whole lot of users.

On a sidenote, are there any less complex, preferably open-source, alternatives to OpenX?

As far as I know, there really isn't much out there when it comes to open-source. There is OASIS (http://oasis.sourceforge.net/), but I don't think it is in active development.

Personally, I'll be moving a couple of openx installs to Google DFP (http://www.google.com/dfp/info/sb/index.html) in the next few days. I've heard some good things about AdButler (http://www.adbutler.com/) but I have yet to use it myself.

Never heard of Google DFP. I wonder if the data lag is similair to Adwords.

The nice thing about OpenX was installing it on your own hardware.

Thanks for the links.

We use DFP at VBM after switching from a hosted OpenX install. DFP suffers from the lag, but in my experience, OpenX also exhibited lag (though not to the same level.) It takes roughly 30 minutes to traffic ads, which is enough time to be a pain in the rear... especially if you mess up the ad code.
Really bad, specially considering that openx.org has been offline for a while and we are seeing many attacks in the wild.
OpenX is being DDOS'ed, that's why the site is down.
Has OpenX been suffering from security vulnerabilities for awhile now?
Yes, it seems that over the past 6-12 months it has been one security vulnerability after another with OpenX -- which is why I switched to Google DFP 2 weeks ago.
Even if i had a limited experience with it this doesn't surprise me, i still don't understand how big site can use or have used (list on openx site) this script to manage their own ad network.

Lots of issues with the db and with the upgrade procedure, sometimes has weird issues hard to identify and solve(i.e. things that stop working without any apparent reason)... Maybe i'm too critic, but i felt it was just another crappy php app.

Notwithstanding that the code is a maze to find your way through.
It's amazing to me that OpenX is trying to be looked at as a 'leader' in this space and they even do hosted ads, but they can't keep their servers up for a security patch release.
See my comment above - OpenX is being DDOS'ed. The upgrade didn't bring it down, though it's likely that the DDOS is intended to keep people from upgrading.
What would be needed to create a secure equivelent of OpenX in terms of architecture and performance?

Is it more than a glorified image/snippet server and counter?

It's slightly more complicated than that, and you'd probably have to work in advertising to understand why.

Ad zones, campaign weighting, frequency caps, companion positioning, exclusive campaigns, delivery limitations (language, user-agent, geographic targeting, time of day, section), probability calculation, detailed statistics, and the ability to give a client a login to view their own stats. These are just a few of the features.

If all you need is a glorified image/snippet server and counter, you could probably just write one.

I feel you bro. It is definitely complicated. I've got a few gray strands to prove it whilst developing Trafficspaces (a SaaS ad manager).

It started as a hobby but once I got into it, I got sucked in by the challenge of simplifying all that complexity.

For most people, the adserver is just the UI. The complex calculations, ad targeting, and scalability issues are just abstracted away into the abyss. Then there are those heidenbugs that occur at a frequency of 1 in a billion transactions, which can consume your entire weekend! Grrrh!

I kinda feel sorry for OpenX though. Their codebase is probably unmanagable by now. I'm sure their devs wish they could just throw it all away and start afresh.

Their main site is down. Anyone want to enlighten the rest of us about what OpenX is? Something about ads, it seems; can anyone be more specific?
It's an open source ad server.
Fair enough; in that case, why would I use it instead of (say) nginx? Is it an optimization thing or a logging thing?
It is a complete web application to manage ads, something like Wordpress for ads.
Slight misunderstanding. It's a PHP webapp that is an ad server. Not a web server. Having seen the codebase... it's evil.
It's an adserver. Pretty simple.
I got bitten by this too, and when I discovered why I was livid.

https://svn.openx.org/openx/tags/2.8/openx-2.8.6/plugins_rep...

This third party plugin is automatically installed and enabled by the installer. No admin authentication, wide open access to upload and run PHP.

More details can be found at http://www.kreativrauschen.com/blog/2010/09/09/critical-vuln... and if www/admin/plugins/videoReport/lib/tmp-upload-images/ exists, it's likely your server has been compromised.

What version did this vulnerability first appear? I have some older installs that don't have an admin/plugins folder.
Dude, if u need a decent ad server as an alternative to OpenX, I'll suggest. Trafficspaces.

I designed it and it's one of my proudest pieces of work (if I may say so myself) :)

Warning: its a premium service

http://www.trafficspaces.com/tour/

Looks neat but $99/month for 1M impressions ain't much. Overpriced IMHO.

Assuming $1 CPM, a site will be making $1000 off of that. Your taking a 10% cut.

$100 should get you 50,000,000 impressions, at minimum.

Think about it this way, if you can segment your traffic into valuable niches (e.g females, 18-30 in NYC, who are searching for shoes), you can sell your traffic at a far higher CPM.

That's where Trafficspaces excels - ad targeting.

All impressions aren't equal so you shouldn't treat them as such. The key is being able to unlock the value.