CVE-2013-4211
published 2020-02-14CVE-2013-4211: A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.93%
99.5th percentile
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openx | ad_server | — | — |
| openx | openx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /www/delivery/fc.php with GET parameters 'file_to_serve=flowplayer/3.1.1/flowplayer-3.1.1.min.js' and 'script=deliveryLog:vastServeVideoPlayer:player', combined with a non-empty 'vastPlayer' POST body — this is the backdoor trigger pattern. ↗
- →The POST body parameter 'vastPlayer' carries the malicious payload encoded as rot13 of the reversed PHP code. Any non-trivial value in this parameter on the above endpoint should be treated as an exploitation attempt. ↗
- →The backdoor resides inside flowplayer-3.1.1.min.js shipped with OpenX 2.8.10. Inspect this file for obfuscated/embedded PHP code as an indicator of supply-chain compromise active from at least November 2012 through August 2013. ↗
- ·The default TARGETURI is '/openx/' but may vary per deployment; the critical detection path suffix '/www/delivery/fc.php' remains constant regardless of install prefix. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OpenX - Backdoor PHP Code Execution (Metasploit)
exploitdb·2013-08-12
CVE-2013-4211 OpenX - Backdoor PHP Code Execution (Metasploit)
OpenX - Backdoor PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'OpenX Backdoor PHP Code Execution',
'Description' => %q{
OpenX Ad Server version 2.8.10 was shipped with an obfuscated
backdoor since at least November 2012 through August 2013.
Exploitation is simple, requiring only a single request with a
rot13'd and reversed payload.
},
'Author' =>
[
'egypt', # Metasploit module, shouts to bperry for hooking me up with the vuln software
'Unknown', # Someone planted this backdoor...
],
'License' => MSF_LICENSE,
'References' => [
Metasploit
OpenX Backdoor PHP Code Execution
metasploit
OpenX Backdoor PHP Code Execution
OpenX Backdoor PHP Code Execution
OpenX Ad Server version 2.8.10 was shipped with an obfuscated backdoor since at least November 2012 through August 2013. Exploitation is simple, requiring only a single request with a rot13'd and reversed payload.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/27529http://www.openwall.com/lists/oss-security/2013/08/07/2http://www.securityfocus.com/bid/61650https://exchange.xforce.ibmcloud.com/vulnerabilities/86259https://packetstormsecurity.com/files/cve/CVE-2013-4211http://www.exploit-db.com/exploits/27529http://www.openwall.com/lists/oss-security/2013/08/07/2http://www.securityfocus.com/bid/61650https://exchange.xforce.ibmcloud.com/vulnerabilities/86259https://packetstormsecurity.com/files/cve/CVE-2013-4211
2020-02-14
Published