cbcvebase.
CVE-2013-4211
published 2020-02-14

CVE-2013-4211: A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.93%
99.5th percentile
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code

Affected

2 ranges
VendorProductVersion rangeFixed in
openxad_server
openxopenx

Detection & IOCsextracted from sources · hover to see the quote

path/www/delivery/fc.php
filenameflowplayer-3.1.1.min.js
path/openx/www/delivery/fc.php
othervastPlayer=<rot13'd and reversed PHP payload>
  • Detect POST requests to /www/delivery/fc.php with GET parameters 'file_to_serve=flowplayer/3.1.1/flowplayer-3.1.1.min.js' and 'script=deliveryLog:vastServeVideoPlayer:player', combined with a non-empty 'vastPlayer' POST body — this is the backdoor trigger pattern.
  • The POST body parameter 'vastPlayer' carries the malicious payload encoded as rot13 of the reversed PHP code. Any non-trivial value in this parameter on the above endpoint should be treated as an exploitation attempt.
  • The backdoor resides inside flowplayer-3.1.1.min.js shipped with OpenX 2.8.10. Inspect this file for obfuscated/embedded PHP code as an indicator of supply-chain compromise active from at least November 2012 through August 2013.
  • ·The default TARGETURI is '/openx/' but may vary per deployment; the critical detection path suffix '/www/delivery/fc.php' remains constant regardless of install prefix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.