Revive Adserver, formerly known as OpenX Source, patched two vulnerabilities, one of which may have been used to distribute malware to third-party websites.
The open-source server used by publishers, advertisers, ad agencies and ad networks to run and manage online ad campaigns is urging all of its users to update to the new 4.2.0 version of its software.
One of the vulnerabilities is a deserialization of untrusted data” flaw while the other is an “Open Redirect” vulnerability, according to the security release .
The first flaw could be used to exploit serialize-related PHP vulnerabilities or PHP object injection as well as to carry out other attacks while the Open Redirect flaw could allow a remote attacker to trick a logged in user to open a specially crafted like that will ultimately redirect them to another destination.
“It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third-party websites,” the security release said referring to the “Deserialization of Untrusted Data” flaw.
If updating to the most recent version isn’t possible, researchers recommend users delete the adxmlrpc.php, www/delivery/axmlrpc.php and www/delivery/dxmlrpc.php files.