Anyone using Pligg? If so, you might want to patch it or take your site down ASAP because there is a major issue with all versions except the latest that allows people to remotely hijack your admin rights (or the accounts of any Pligg users)
I've written a proof of concept exploit to test on some of my sites but I won't publish it here (for obvious reasons). Basically, the problem lies in the way Pligg handles password resets for users and the way it generates/tests the SHA'd confirmation code. It should be pretty obvious from the patch though (see SourceForge.net Repository - [pligg] Diff of /branches/pre_9_5_1/login.php )
You can grab the patch from Security Vulnerability - Pligg Forum
I've written a proof of concept exploit to test on some of my sites but I won't publish it here (for obvious reasons). Basically, the problem lies in the way Pligg handles password resets for users and the way it generates/tests the SHA'd confirmation code. It should be pretty obvious from the patch though (see SourceForge.net Repository - [pligg] Diff of /branches/pre_9_5_1/login.php )
You can grab the patch from Security Vulnerability - Pligg Forum
Last edited:
