CVE-2009-4098
published 2009-11-29CVE-2009-4098: Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload…
PriorityP351medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
18.68%
96.9th percentile
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openx | openx | <= 2.8.1 | — |
| openx | openx | — | — |
| openx | openx | — | — |
| openx | openx | — | — |
| openx | openx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
GIF89a\x01\x00\x01\x00
bytes↗
\xff\xd8\xff\xff
- →Detect multipart/form-data POST requests to admin/banner-edit.php containing a file upload with a .php extension — this is the core exploit delivery mechanism. ↗
- →Alert on HTTP GET requests to the OpenX images/ directory for files matching the pattern [0-9a-f]+\.php, which indicates payload execution after upload. ↗
- →Monitor for files matching /www/images/[0-9a-f]+.php on the filesystem — these are the uploaded PHP webshells placed by the exploit. ↗
- →Detect POST to admin/banner-edit.php with Content-Type: multipart/form-data where the uploaded filename ends in .php but file content begins with a GIF89a, PNG, or JPEG magic byte header — polyglot file technique used to bypass getimagesize() check. ↗
- ·Exploitation requires the attacker to be authenticated with banner/file upload permissions — unauthenticated exploitation is not possible. ↗
- ·The uploaded PHP file must pass PHP's getimagesize() check by prepending valid GIF, PNG, or JPEG magic bytes — pure PHP files without image headers will be rejected by the application. ↗
- ·Vulnerability affects OpenX versions prior to 2.8.2; version 2.8.2 and later are not vulnerable. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_redhat4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6hf-896r-x274: Unrestricted file upload vulnerability in banner-edit
ghsa_unreviewed·2022-05-02
CVE-2009-4098 [MEDIUM] CWE-20 GHSA-r6hf-896r-x274: Unrestricted file upload vulnerability in banner-edit
Unrestricted file upload vulnerability in banner-edit.php in OpenX adserver 2.8.1 and earlier allows remote authenticated users with banner / file upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an images directory.
Red Hat
mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
vendor_redhat·2009-11-04·CVSS 4.6
CVE-2009-4030 [MEDIUM] mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
mysql: Incomplete fix for CVE-2008-2079 / CVE-2008-4098
MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079.
Red Hat
mysql: incomplete upstream fix for CVE-2008-2079
vendor_redhat·2008-07-03·CVSS 4.6
CVE-2008-4098 [MEDIUM] mysql: incomplete upstream fix for CVE-2008-2079
mysql: incomplete upstream fix for CVE-2008-2079
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Statement: In Red Hat Enterprise Linux 5, issue CVE-2008-2079 was fixed without introducing CVE-2008-4098 in RHSA-2009:1289.
No detection rules found.
Exploit-DB
OpenX - 'banner-edit.php' Arbitrary File Upload / PHP Code Execution (Metasploit)
exploitdb·2010-09-20
CVE-2009-4098 OpenX - 'banner-edit.php' Arbitrary File Upload / PHP Code Execution (Metasploit)
OpenX - 'banner-edit.php' Arbitrary File Upload / PHP Code Execution (Metasploit)
---
##
# $Id: openx_banner_edit.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'OpenX banner-edit.php File Upload PHP Code Execution',
'Description' => %q{
This module exploits a vulnerability in the OpenX advertising software.
In versions prior to version 2.8.2, authenticated users can upload files
with arbitrary extensions to be used as banner creative content. By uploading
a file with a PHP extension, an attacker can ex
Metasploit
OpenX banner-edit.php File Upload PHP Code Execution
metasploit
OpenX banner-edit.php File Upload PHP Code Execution
OpenX banner-edit.php File Upload PHP Code Execution
This module exploits a vulnerability in the OpenX advertising software. In versions prior to version 2.8.2, authenticated users can upload files with arbitrary extensions to be used as banner creative content. By uploading a file with a PHP extension, an attacker can execute arbitrary PHP code. NOTE: The file must also return either "png", "gif", or "jpeg" as its image type as returned from the PHP getimagesize() function.
No writeups or analysis indexed.
http://osvdb.org/60499http://secunia.com/advisories/37475http://www.openx.org/docs/2.8/release-notes/openx-2.8.2http://www.securityfocus.com/archive/1/508050/100/0/threadedhttp://www.securityfocus.com/bid/37110https://developer.openx.org/jira/browse/OX-5747https://exchange.xforce.ibmcloud.com/vulnerabilities/54394http://osvdb.org/60499http://secunia.com/advisories/37475http://www.openx.org/docs/2.8/release-notes/openx-2.8.2http://www.securityfocus.com/archive/1/508050/100/0/threadedhttp://www.securityfocus.com/bid/37110https://developer.openx.org/jira/browse/OX-5747https://exchange.xforce.ibmcloud.com/vulnerabilities/54394
2009-11-29
Published