SocialCMSBuzz gets banned from the pligg forums for revealing PYcURL Security Vurnability

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

pligg.no.entry.jpg We had previous indications that the pligg team couldn’t handle criticism well from the experience of reading certain posts in their forums, now however they have turned to banning our forum user account for revealing that Pligg v9.9.0 is still vulnerable to automated PycURL bot spamming attacks. We posted a link in their forums to an article we wrote a few days ago here as to nudge them into fixing the vulnerability which has been outstanding for months, This however resulted in ourselves one of the more active contributors to the pligg project Banned Permanently by YankiDank. Oh! and apparently the ban was for Inappropriate Ranting and theft of some kind of content go figure that one out?.

Pligg love it when their CMS system makes the news and are proud to show off links to articles on their forum in the Pligg News section, it would seem however that they don’t like critical news as much as news patting them on the back saying “Job Well Done”. First off let us just say we don’t dislike the pligg project in anyway and think it’s a pretty good CMS system, we also however don’t shy away from telling the fact’s like they are on this blog and seeing as content is now being censored on the pligg forum that’s got to be a good thing.

Over the past few weeks we received multiple support requests for V9.9.0 of pligg by webmasters experiencing high levels of automated spam, the spam was utilizing a security venerability in pligg to automatically insert users into the database and post spam stories. This is achieved with the bot’s completely negating the pligg registration process, what was more annoying to us was the fact the vulnerability has been present in pligg since v9.8.2 which was released on the 1st September 2007 which is over seven months ago.

A simple fix would have been to integrate the existing email confirmation code into the pligg project which was never done, instead time was spent on other spam fighting modules like askimet which will do nothing for this particular vulnerability.

So how did we manage to get ourselves banned from the pligg forums?

pligg.ban.jpg

Well yesterday i posted a link to the article on the Pligg Forum as a way of bringing to the attention of the developers of a problem that has seriously plagued pligg for seven months now, it would seem someone at pligg couldn’t handle the truth and decided the best way to deal with the situation was to delete our link and ban our forum profile. The downside is that the vulnerability still goes on unfixed.

Getting banned from pligg is their prerogative as all webmasters have the right to select what content they would like there members to read and ultimately who their member are, we are still clueless as to what they refer to in the banned message of Inappropriate Ranting and Content Theft?

Inappropriate Ranting – this could be directed towards revealing security vulnerability in pligg which is far from ranting.

Content Theft – Could be the little pligg image we used in a deckchair photo in our last post but no details were provided.

May we remind Pligg of this article http://socialcmsbuzz.com/free-pligg-template-darkwater-v990-29012008/

It was brought to our attention earlier today in an nice email i received (Thanks Tremor) that a pligg developer of all people decided to edit one of our previous free pligg templates CoolWater and breach the Creative Commons License it was released under originally from styleshout.com and ourselves to make a quick buck without giving credit to the original template author.

We didn’t ban anyone and after pligg removed the template from their store we even offered to construct a few templates for pligg to sell and retain 100% of the profits. See no hard feelings from us when the pligg developers broke the creative commons license on one of our templates and all was settled amicably.

We would really like to know what is being referred to as Theft Of Content and would be more than happy read any mails or discuss this matter further with the pligg team, YankiDank had tried to send us a message at the pligg forums but because we were banned it could’nt be retreived.

If any member of the pligg team would like to discuss the ban further please contact us from our contact for as we certainly have a few questions for you guys

And if you want great press in the future for Pligg, try to fix code vurnabilites faster than in a seven month ime frame and we will praise you to high heaven.

BlinklistBloglinesBlogmarksDiggdel.icio.usFacebookFurlRedditStumbleUponTechnorati

If you enjoyed this post, make sure you subscribe to my RSS feed!

Article Details

Author: Lincoln on April 3rd, 2008

Category: Pligg

Tags: banned, free speech, Pligg, security

23 Comments
5 Trackbacks

Geoserv says:

April 3, 2008 at 1:38 pm

Yankidank is ban happy. Pligg will ban you for the littlest thing, active or not. I was one of the top 10 members and got banned for posting a template that I didn’t make, that turned out to be stolen, I tried to explain that to admin but their thick heads wouldnt listen.

The site that was ripped by this port accepted my apology and I removed the template immediately, but Pligg being god like wasn’t happy with that.

They wioll eventually learn that banning key members who are the only ones contributing, even moreso than the developers, will only hurt them in the long run.

The majority of mods etc…, were created and donated by us the active members and very little from the developers.

Someday Yankidank will grow up, and learn how to handle power, obviously he isn’t used to have power in real life.

Geoserv.
Geoserv says:

April 3, 2008 at 1:45 pm

STUMBLED!!

And added to:
NewsDots
TopStumbles
LincolnHawks says:

April 3, 2008 at 2:40 pm

Sorry to hear the Geo i can remember you being a large contributor to the project your always free to contribute here at Social CMS Buzz where you can be 100% sure of free speech and free from the threat of ban’s.
Jason says:

April 3, 2008 at 2:41 pm

For any CMS criticism is part of the game and it shows path to improve their quality. Honestly speaking Pligg forum allows people who praises Pligg for its quality. I was kind of annoyed at performance issues of Pligg. For example Pligg has a table called Pageview and coders made inefficient nested queries to get user view statistics. I saw it choked down my test site hosted in a shared hosting with few only hundred users. When I raised this question in Pligg forum that Pligg cannot handle load for its inefficient table design and queries some one guy called Dollar5 directly showed example that I should use Media Temple Nitro server which costs US$ 750/mo. I should not speak personally but guys like Dollar5 uses Pligg for their business and I got a offer for developing their site. Anyway I am happy that moved to drupal.

I was eventually banned for inappropriate ranting. I noticed flattering guys like Dollar5 who blindly supports even mistakes or flaws of Pligg have been promoted to their developers page.
Cypher says:

April 3, 2008 at 4:53 pm

Criticisms as Jason says are crucial with any business be it open source or closed, i read your post regarding the v9.9.0 spamming issue and see nothing wrong or ranty about it simply stating the fact’s to a group of developers who do very little in the way of community support or updates.

Banning strong contributors like you guys and Geoserv is just plain stupidity and it seems to be down to an overzealous admin who is obviously in dire need of man management and public relation skill set training.

Personally i think since the site never sold last year the developers seemed to have lost interest in the project, with support being almost non existent and updates only arriving at lengthy three month intervals.

This might also explain the gradual Alexa traffic drop on the pligg.com site as less participation, updates leads to less traffic.

Need to go check my pligg account now to make sure i havent been banned for commenting and speaking my mind :p
VooLee says:

April 3, 2008 at 6:24 pm

Inaccurate. A simple search on the Pligg forums for PyCurl shows you had nothing to do with reviling anything, and a fix for it was even posted back on 03–08-08
See http://forums.pligg.com/wiki-articles/12532-spam-prevention.html

You admitted to posting posting your blog links in their forum which is nothing short of spamming yourself. Apparently you also can’t follow simple rules of the forum outlined here. http://forums.pligg.com/bug-report/2026-reporting-security-vulnerabilities.html

After reading some of the articles on your blog, it seems to me that you should have been baned a lot sooner since you obviously have nothing nice to say. Even a six year old would know not to use the Pligg forum to bash Pligg just to promote your own blog.
I guess the guys over at Pligg just finally got sick and tired of you being a total douche bag.
LincolnHawks says:

April 3, 2008 at 8:23 pm

Firstly let me say with 100% confidence that the .htaccess solution on the wiki dosent solve the pycurl spam in any way shape or form, as do none of the modules listed on that page. Try them all and pycurl will still get through.

Secondly we are not bashing pligg they do eough on their own it would seem to bash themselves, we simply posted some news in the news section concerning a threat that has went unattended and remains unrsolved for nearly 8 months now. We dont need to spam pligg to gain traffic search engines bring us a nice amount.

Pligg is the only CMS system experiencing this type of attack as it ain’t happening on wordpress, drupal, joomla, etc more to the point if it did happen on any of the above it would be eradicated in a few days.

And to refer to pycurl emails pligg has drawn a blank@blank.com on this particular problem.

The problem lies now in the decision by a webmaster of whether to start a site with v9.9.0 (Which i will say once again is the best version of pligg to date) and look professional with spam stories being submitted so frequently, it also takes some work load to moderate these stories. Pigg has a feature called “spamkill this user” it discards the stories but doesnt delete them from the Database so the URLs can still be indexed by search engine, lovely eh!, it also doesnt delete the user from the database. None of this really matters though as the spam bot’s use lot’s of different IP’s so even blocking in somthing like blacklist is tiresome and proves pretty fruitless.

And yeah maybe the guys over at pligg dont like the truth, i certainly know Jack Nichlson didn’t in “A Few Good Men” he simply couldn’t handle it you know, very much like yourself.
Geoserv says:

April 3, 2008 at 9:00 pm

No .htaccess command is going to solve the OYcURL vulnerability. That was simply a bandaid solution to a very serious issue.

Another solution offered was to rename the register.php file, again, a bandaid.

They only show the lack of knowledge of the developers, or maybe interest, to fix a problem that should have been given more time and attention from the start.

Perhaps instead of focusing on banning people, especially active contributors, they should have been trying to fix the major code, database issues and this security problem.

As LincolnHawks also stated, any other CMS, free or not, would have done just that. I also haven’t heard of any other CMS having this problem.

LincolnHawks, I will definitely be making this my new home for Pligg.
me says:

April 4, 2008 at 2:51 pm

Looks like the lead dev left.

http://forums.pligg.com/members/ashdigg.html
Last Activity: 02-15-2008 08:11 PM

Yank banning devs too?
Geoserv says:

April 4, 2008 at 6:20 pm

haha…wouldn’t surprise me.