cbcvebase.
CVE-2009-4098
published 2009-11-29

CVE-2009-4098: Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload…

PriorityP351medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
18.68%
96.9th percentile
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.

Affected

5 ranges
VendorProductVersion rangeFixed in
openxopenx<= 2.8.1
openxopenx
openxopenx
openxopenx
openxopenx

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/banner-edit.php
pathimages/
cookiesessionID=<cookie>; PHPSESSID=<cookie>
filename*.php (uploaded via banner-edit.php into images/)
bytes
GIF89a\x01\x00\x01\x00
bytes
\xff\xd8\xff\xff
  • Detect multipart/form-data POST requests to admin/banner-edit.php containing a file upload with a .php extension — this is the core exploit delivery mechanism.
  • Alert on HTTP GET requests to the OpenX images/ directory for files matching the pattern [0-9a-f]+\.php, which indicates payload execution after upload.
  • Monitor for files matching /www/images/[0-9a-f]+.php on the filesystem — these are the uploaded PHP webshells placed by the exploit.
  • Detect POST to admin/banner-edit.php with Content-Type: multipart/form-data where the uploaded filename ends in .php but file content begins with a GIF89a, PNG, or JPEG magic byte header — polyglot file technique used to bypass getimagesize() check.
  • ·Exploitation requires the attacker to be authenticated with banner/file upload permissions — unauthenticated exploitation is not possible.
  • ·The uploaded PHP file must pass PHP's getimagesize() check by prepending valid GIF, PNG, or JPEG magic bytes — pure PHP files without image headers will be rejected by the application.
  • ·Vulnerability affects OpenX versions prior to 2.8.2; version 2.8.2 and later are not vulnerable.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.