SocialCMSBuzz gets banned from the pligg forums for revealing PYcURL Security Vurnability

3Apr2008 Filed under: Pligg Author: LincolnHawks

We had previous indications that the pligg team couldn’t handle criticism well from the experience of reading certain posts in their forums, now however they have turned to banning our forum user account for revealing that Pligg v9.9.0 is still vulnerable to automated PycURL bot spamming attacks. We posted a link in their forums to an article we wrote a few days ago here as to nudge them into fixing the vulnerability which has been outstanding for months, This however resulted in ourselves one of the more active contributors to the pligg project Banned Permanently by YankiDank. Oh! and apparently the ban was for Inappropriate Ranting and theft of some kind of content go figure that one out?.

Pligg love it when their CMS system makes the news and are proud to show off links to articles on their forum in the Pligg News section, it would seem however that they don’t like critical news as much as news patting them on the back saying “Job Well Done”. First off let us just say we don’t dislike the pligg project in anyway and think it’s a pretty good CMS system, we also however don’t shy away from telling the fact’s like they are on this blog and seeing as content is now being censored on the pligg forum that’s got to be a good thing.

Over the past few weeks we received multiple support requests for V9.9.0 of pligg by webmasters experiencing high levels of automated spam, the spam was utilizing a security venerability in pligg to automatically insert users into the database and post spam stories. This is achieved with the bot’s completely negating the pligg registration process, what was more annoying to us was the fact the vulnerability has been present in pligg since v9.8.2 which was released on the 1st September 2007 which is over seven months ago.

A simple fix would have been to integrate the existing email confirmation code into the pligg project which was never done, instead time was spent on other spam fighting modules like askimet which will do nothing for this particular vulnerability.

So how did we manage to get ourselves banned from the pligg forums?

pligg.ban.jpg

Well yesterday i posted a link to the article on the Pligg Forum as a way of bringing to the attention of the developers of a problem that has seriously plagued pligg for seven months now, it would seem someone at pligg couldn’t handle the truth and decided the best way to deal with the situation was to delete our link and ban our forum profile. The downside is that the vulnerability still goes on unfixed.

Getting banned from pligg is their prerogative as all webmasters have the right to select what content they would like there members to read and ultimately who their member are, we are still clueless as to what they refer to in the banned message of Inappropriate Ranting and Content Theft?

Inappropriate Ranting - this could be directed towards revealing security vulnerability in pligg which is far from ranting.

Content Theft - Could be the little pligg image we used in a deckchair photo in our last post but no details were provided.

May we remind Pligg of this article http://socialcmsbuzz.com/free-pligg-template-darkwater-v990-29012008/

It was brought to our attention earlier today in an nice email i received (Thanks Tremor) that a pligg developer of all people decided to edit one of our previous free pligg templates CoolWater and breach the Creative Commons License it was released under originally from styleshout.com and ourselves to make a quick buck without giving credit to the original template author.

We didn’t ban anyone and after pligg removed the template from their store we even offered to construct a few templates for pligg to sell and retain 100% of the profits. See no hard feelings from us when the pligg developers broke the creative commons license on one of our templates and all was settled amicably.

We would really like to know what is being referred to as Theft Of Content and would be more than happy read any mails or discuss this matter further with the pligg team, YankiDank had tried to send us a message at the pligg forums but because we were banned it could’nt be retreived.

If any member of the pligg team would like to discuss the ban further please contact us from our contact for as we certainly have a few questions for you guys

And if you want great press in the future for Pligg, try to fix code vurnabilites faster than in a seven month ime frame and we will praise you to high heaven.

25 Responses to “SocialCMSBuzz gets banned from the pligg forums for revealing PYcURL Security Vurnability”

Geoserv
April 3rd, 2008 at 1:38 pm

Yankidank is ban happy. Pligg will ban you for the littlest thing, active or not. I was one of the top 10 members and got banned for posting a template that I didn’t make, that turned out to be stolen, I tried to explain that to admin but their thick heads wouldnt listen.

The site that was ripped by this port accepted my apology and I removed the template immediately, but Pligg being god like wasn’t happy with that.

They wioll eventually learn that banning key members who are the only ones contributing, even moreso than the developers, will only hurt them in the long run.

The majority of mods etc…, were created and donated by us the active members and very little from the developers.

Someday Yankidank will grow up, and learn how to handle power, obviously he isn’t used to have power in real life.

Geoserv.
Geoserv
April 3rd, 2008 at 1:45 pm

STUMBLED!!

And added to:
NewsDots
TopStumbles
LincolnHawks
April 3rd, 2008 at 2:40 pm

Sorry to hear the Geo i can remember you being a large contributor to the project your always free to contribute here at Social CMS Buzz where you can be 100% sure of free speech and free from the threat of ban’s.
Jason
April 3rd, 2008 at 2:41 pm

For any CMS criticism is part of the game and it shows path to improve their quality. Honestly speaking Pligg forum allows people who praises Pligg for its quality. I was kind of annoyed at performance issues of Pligg. For example Pligg has a table called Pageview and coders made inefficient nested queries to get user view statistics. I saw it choked down my test site hosted in a shared hosting with few only hundred users. When I raised this question in Pligg forum that Pligg cannot handle load for its inefficient table design and queries some one guy called Dollar5 directly showed example that I should use Media Temple Nitro server which costs US$ 750/mo. I should not speak personally but guys like Dollar5 uses Pligg for their business and I got a offer for developing their site. Anyway I am happy that moved to drupal.

I was eventually banned for inappropriate ranting. I noticed flattering guys like Dollar5 who blindly supports even mistakes or flaws of Pligg have been promoted to their developers page.
Cypher
April 3rd, 2008 at 4:53 pm

Criticisms as Jason says are crucial with any business be it open source or closed, i read your post regarding the v9.9.0 spamming issue and see nothing wrong or ranty about it simply stating the fact’s to a group of developers who do very little in the way of community support or updates.

Banning strong contributors like you guys and Geoserv is just plain stupidity and it seems to be down to an overzealous admin who is obviously in dire need of man management and public relation skill set training.

Personally i think since the site never sold last year the developers seemed to have lost interest in the project, with support being almost non existent and updates only arriving at lengthy three month intervals.

This might also explain the gradual Alexa traffic drop on the pligg.com site as less participation, updates leads to less traffic.

Need to go check my pligg account now to make sure i havent been banned for commenting and speaking my mind :p
VooLee
April 3rd, 2008 at 6:24 pm

Inaccurate. A simple search on the Pligg forums for PyCurl shows you had nothing to do with reviling anything, and a fix for it was even posted back on 03–08-08
See http://forums.pligg.com/wiki-articles/12532-spam-prevention.html

You admitted to posting posting your blog links in their forum which is nothing short of spamming yourself. Apparently you also can’t follow simple rules of the forum outlined here. http://forums.pligg.com/bug-report/2026-reporting-security-vulnerabilities.html

After reading some of the articles on your blog, it seems to me that you should have been baned a lot sooner since you obviously have nothing nice to say. Even a six year old would know not to use the Pligg forum to bash Pligg just to promote your own blog.
I guess the guys over at Pligg just finally got sick and tired of you being a total douche bag.
LincolnHawks
April 3rd, 2008 at 8:23 pm

Firstly let me say with 100% confidence that the .htaccess solution on the wiki dosent solve the pycurl spam in any way shape or form, as do none of the modules listed on that page. Try them all and pycurl will still get through.

Secondly we are not bashing pligg they do eough on their own it would seem to bash themselves, we simply posted some news in the news section concerning a threat that has went unattended and remains unrsolved for nearly 8 months now. We dont need to spam pligg to gain traffic search engines bring us a nice amount.

Pligg is the only CMS system experiencing this type of attack as it ain’t happening on wordpress, drupal, joomla, etc more to the point if it did happen on any of the above it would be eradicated in a few days.

And to refer to pycurl emails pligg has drawn a blank@blank.com on this particular problem.

The problem lies now in the decision by a webmaster of whether to start a site with v9.9.0 (Which i will say once again is the best version of pligg to date) and look professional with spam stories being submitted so frequently, it also takes some work load to moderate these stories. Pigg has a feature called “spamkill this user” it discards the stories but doesnt delete them from the Database so the URLs can still be indexed by search engine, lovely eh!, it also doesnt delete the user from the database. None of this really matters though as the spam bot’s use lot’s of different IP’s so even blocking in somthing like blacklist is tiresome and proves pretty fruitless.

And yeah maybe the guys over at pligg dont like the truth, i certainly know Jack Nichlson didn’t in “A Few Good Men” he simply couldn’t handle it you know, very much like yourself.
Geoserv
April 3rd, 2008 at 9:00 pm

No .htaccess command is going to solve the OYcURL vulnerability. That was simply a bandaid solution to a very serious issue.

Another solution offered was to rename the register.php file, again, a bandaid.

They only show the lack of knowledge of the developers, or maybe interest, to fix a problem that should have been given more time and attention from the start.

Perhaps instead of focusing on banning people, especially active contributors, they should have been trying to fix the major code, database issues and this security problem.

As LincolnHawks also stated, any other CMS, free or not, would have done just that. I also haven’t heard of any other CMS having this problem.

LincolnHawks, I will definitely be making this my new home for Pligg.
me
April 4th, 2008 at 2:51 pm

Looks like the lead dev left.

http://forums.pligg.com/members/ashdigg.html
Last Activity: 02-15-2008 08:11 PM

Yank banning devs too?
Geoserv
April 4th, 2008 at 6:20 pm

haha…wouldn’t surprise me.
Unknown
April 9th, 2008 at 4:04 am

Can’t believe a great contributor such as Geoserv has been banned and now socialcmsbuzz also. And I’m not too surprised to hear that ashdigg left also.

I think Ashdigg’s entrourage have taken the project from him and tried turning it into a cash cow. Most of the big developers now are only pushing their overpriced mods (250$!! - I could buy a whole script well written like socialengine with 250$).

Lots of people have been trying to use the Pligg CMS to do something with it, but unless you were there from the beginning, or know php, you won’t find it easy to start with it, this unfortunately led to lots of people abandoning it.

I suggest that some developers who have a hobby for developping, make a branch out of pligg (just like pligg was a branch of meneame) and continue it’s developement.

Pligg has the potential to be a big time CMS just like Joomla, but just needs some people not looking to make instant cash out of it, and some time on their hands. In fact, if we can put it back on it’s legs, I’m sure new developers will flock anew to the new project.

Oh and by the way, great new design for the site, and what do you think about expanding and covering other web resources?
Jason
April 9th, 2008 at 4:51 pm

Did Ashdigg start a new CMS?
Geoserv
April 10th, 2008 at 2:21 pm

As of today my ban was lifted by Yankidank, so I hope to be contributing again soon.

Pligg does have great potential with the right leadership.

I recently developed Pliggs.com and will be posting templates, mods, hacks tutorials, and you can even post a link to your Pligg in the directory as well.

Most of my contributions will be posted there as well and of course, this blogs work will be on there as well.

This blog has done a lot for Pligg and hopefully the ban will be lifted for socialcms soon.

Thanks for the kind words above.

http://www.pliggs.com
D. Cotton
April 12th, 2008 at 1:19 pm

It’s all a bit daft to start throwing around bannings. There are so few of us who are active members of the Pligg project - very, very few in terms of coding, and few in terms of a willingness to engage with the community and come up with constructive ideas.
As for the idea that they are going for ‘a quick buck’, well, developers deserve financial compensation for their work. And it may not equal a commercial rate, but the donations system for Pligg wasn’t bringing in much money.
A small group of developers can’t just run on goodwill alone forever. People have their careers, families, social life to attend to as well.
blogengage
April 18th, 2008 at 8:20 pm

How do yopu guys get trackbacks with pligg I have 9.8.2 and can’t get it to work

Any advice I’ll meet you in the cms forums!
sidlyderious
April 21st, 2008 at 9:44 am

May I ask whether you sent them an email or Private Message to discuss the vulnerability or did you hit the forums first to publish the problem, please?

There is a major problem when vulnerabilities are simply published on forums for everyone to see.

You may have an axe to grind with Pligg however often irresponsible behavior can put many user sites at risk.

There is a right way and a wrong way.

I have no idea which method you chose.
JoeHunk
April 23rd, 2008 at 6:34 pm

What a story. Didn’t know this happened to many pligg forum members, ’til I stumbled on Geoserve blog on pligss.com. Have you seen drigg yet?
Geoserv
April 24th, 2008 at 2:41 am

Yet again I have been banned.

This time by chuckroast.

I was banned for visiting Pligg powered websites and filling out their contact forms informing them of my new Pligg directory, chuckroast got one of those emails and flipped.

So he banned me from the Pligg forums.

Im not sure what using a contact form on a website has to do with Pligg forums. Whats wrong with informing poeple of something.

I wasn’t charging to list their website. It was FREE.

But then again chuckroast has his own directory so you draw the conclusions.

He then went on to defame my name openly on the forums, very mature. He can’t handle competition I guess.

I would like to see a list of people who complained, his would be the only name on it.

What does me using a contact form on a website using the Pligg script have to do with the Pligg forums? Nothing!

chuckroasts hardon for me has to stop, other high profile members have called him out on it this week and I appreciate their support.

This isn’t right.
thomas
April 24th, 2008 at 11:41 pm

this all sux ! i am running a pligg powered site too. but i will close it down in the next days because:
a. i hate it when good people are beiing banned
b. the whole system is buggy as hell ….
c. this is no fun anymore
Geoserv
April 25th, 2008 at 1:16 am

Thomas, we are more than willing to help. Pligg is a good script, but it does have some issues that seem to have been problems for a long time with no clear direction on fixing them.

You can get help here and I will be keeping www.pliggs.com going.

Its really disappointing that people I have helped have decided to turn on me openly on the Pligg forums, nice toy our face though. One of them even emailed me showing support but now I see him going a long with chuckroast just to suck up I guess.

Geoserv.