This is the description of the vulnerability recieved by JPCERT:
"We have confirmed that in admin-search.php, scripts included in
'keyword' parameter is shown without proper sanitization thus the
script could be executed.
However a user needs to login the system as administrator, which makes
the exploit technically difficult.
If this vulnerability is exploited, by script execution, a user's
session ID included in HTTP Cookie might be stolen. Also there's a risk
that the contents of phpAdsNew are falsified temporarily."
The security contact for Openads can be reached at:
<security AT openads DOT org>
Matteo Beccati
http://www.openads.org
http://phpadsnew.com
http://phppgads.com
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/