On Tuesday of this week we alerted Pligg based CMS users to a Remote SQL Injection Vulnerability that was present within the story.php. This issue is caused by an input validation error in the “story.php” script when processing the “id” parameter. The vulnerability could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information. Today evidence has arisen from James Bercegay of the GulfTech Security Research Team that would indicate that Pligg has many, many more security vulnerabilities from SQL attacks.
First we have information on another SQL Injection vulnerability discovered today that allows hackers freely to modify and inject information into any of you pligg template files. Remote Code Execution Template Exploit.
Finally we have a massive list which was also documented today by James Bercegay of the GulfTech Security Research Team Pligg 9.9.0 Multiple Vulnerabilities. James has found a lot of Vulnerabilities within the pligg system which are extremely worrying.
Exactly when the fixed/updated version of pligg will be released is at this time still unknown and since losing their lead developer AshDigg back in February Pligg’s overall development hasn’t been the fastest since then.
NOTE: These issues affect Pligg 9.9.0 and prior versions.