13 comments

[ 2.9 ms ] story [ 37.3 ms ] thread
the openx team has unfortunately a long history for not really caring about bugs in their opensource offering.

a few years ago, i had to maintain an openx installation and found quite a few critical bugs, for which i submitted patches to their then-active jira bugtracking. as far as i know, the bugs are still in the "current" 2.8.10 release.

the opensource version was unofficially abandoned when the Enterprise editions where announced - without really telling the users that they would not maintain it anymore.

i'm not at all surprised about the new problems and their lack of communication.

I had a similar experience, briefly maintaining an OpenX install until one day we had a security issue. Turns out that nobody had been applying software updates and that software has lots of problems with it. I spent a week getting it up-to-date to be sure I had everything cleaned out from the hack.

At the end of the week I decided that the client wasn't allowed to run OpenX anymore and we found a different solution that worked within their CMS. Less bells and whistles, less problems.

If you were using OpenX at one time and never removed it from your webserver, you can consider yourself compromised. Get that shit removed.
+1. Most of the compromises we find is due to old/test/never used/demo/debug tools that were once installed and forgotten.
Right. It's amazing how many companies have public-facing openx installs that are no longer used or updated. Makes for an extremely easy target.
I suspect this goes back longer than 7 months ago. I saw a customer site using openx with constant unusually high CPU usage over 1 year ago. It was also running a custom drupal and I didn't get a chance for a close look but I suspect the openx was compromised, as even with low visitor nos to drupal and caching it was using high CPU constantly. Thank goodness the server has now been replaced and the data migrated to another system... In the logs for months after replacing the site I saw odd requests for long openx urls, so it was probably serving up files for someone, and google had over 100,000 urls indexed...
I understand the concerns brought up in this thread as I experienced some of them myself in the past; but what good open source/free software can you recommend to replace OpenX?
How does PHP code inside a JS file get executed? Sounds to me like that's not the only problem in the code...
The .js file is actually included in one of their templates (using include()). So the <?php code is executed at that point.
Why isn't the Javascript code in a PHP comment? That is the usual way of "embedding" stringly-typed languages.
I'm not surprise at all.

Their products are a bit shotty and so is their website. I can go on and point out even more problems with their websites... but that would be consulting.

I applied there and got shot down, it seems like they only hired people from prestige university (caltech, stanford, etc..). This view is also backed by a few reviews on indeed. They're very smart and create some very very unique stuff (rolled their own db on top of riak, live auctions, erlang), unfortunately all those awesome algorithms doesn't help their shotty products.