Yet More Security Vulnerabilities Found In Pligg V9.9.0

Posted by Lincoln in Pligg on Thursday, July 31st 2008   

Digg it

Bookmark it

Stumble it

Mixx It

On Tuesday of this week we alerted Pligg based CMS users to a Remote SQL Injection Vulnerability that was present within the story.php. This issue is caused by an input validation error in the “story.php” script when processing the “id” parameter. The vulnerability could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information. Today evidence has arisen from James Bercegay of the GulfTech Security Research Team that would indicate that Pligg has many, many more security vulnerabilities from SQL attacks.

First we have information on another SQL Injection vulnerability discovered today that allows hackers freely to modify and inject information into any of you pligg template files. Remote Code Execution Template Exploit.

Finally we have a massive list which was also documented today by James Bercegay of the GulfTech Security Research Team Pligg 9.9.0 Multiple Vulnerabilities. James has found a lot of Vulnerabilities within the pligg system which are extremely worrying.

Exactly when the fixed/updated version of pligg will be released is at this time still unknown and since losing their lead developer AshDigg back in February Pligg’s overall development hasn’t been the fastest since then.

NOTE: These issues affect Pligg 9.9.0 and prior versions.

Update: AshDigg Pligg’s former lead developer has released a fork of the pligg codebase titled YADC, YADC fixes all security holes found within the pliggv9.9.0 codebase.

Popularity: 5% [?]



If you enjoyed this post, make sure you subscribe to our RSS feed!

digg this
 

This post was written by:

Lincoln - who has written 167 posts on Social CMS Buzz.

Owner of Social CMS Buzz and a fan of all things social and design related.

Contact the author

Web: http://socialcmsbuzz.com

Related Content

Subscribe to the post comments feeds or Leave a trackback


Tags: , , , , ,

7 Comments Already

commenter
pete Said,
July 31st, 2008 @6:24 pm  

You released a version of Pligg. Where are your security fixes? I guess you are just waiting until Pligg release theirs so you can add them to your version and take all the credit?

I’m also surprised that James Bercegay of GulfTech Security Research Team would allow you to publicly post post his findings.. I guess that’s how they do business. Generally any serious or professional IT security team would never allow this information to be public. So only 2 conclusions can be drawn. You illegally published his findings, or GulfTech is a scam looking to exploit money from Pligg. Either way it’s bad news all around.

commenter
amuzihqzi Said,
July 31st, 2008 @7:06 pm  

Shame on socialcmsbuzz telling people how to exploit a pliqq. Shame on GulfTech Security to post in the wild. Never EVER do business with them.

commenter
stephan Said,
July 31st, 2008 @8:39 pm  

“Generally any serious or professional IT security team would never allow this information to be public.”

Since when do IT Security teams not release their findings publicly? It is what they do! (everyone from symantec to secunia do this, duh) I think it is safe for you to take off your tin foil hat now. lol Also, I don’t think he stole the information either as I found out about it here after I was hacked.

http://www.securityfocus.com/bid/30458/discuss

Since the Pligg developers seem to be a bunch of slackers I wanted details of the vulnerabilities so that I could fix them myself and get my site back up.

On a more serious note I hope these issues are fixed soon. My webhost temporarily suspended my account cause my Pligg was used to send spam after it was hacked :(

commenter
Tiaranda Said,
August 15th, 2008 @4:02 pm  

“Shame on GulfTech Security to post in the wild. Never EVER do business with them.”

What an ignorant statement, have you ever even dealt with them? GulfTech do great work, and are simply amazing compared to the company that we had reviewing our products before.

If anything, people should be cautious of a software vendor who does not care enough about their products (or their users) to have them professionally secured.

On another note, as a long time Pligg user I am definitely switching to YaDC since they are actually the project that secured Pligg when all these vulnerabilities were found. I still can’t believe Yankidank and Co. ganked the fixes from YaDC without even giving due credit :-\ Maybe he should call himself Yankigank lol

Pingback & Trackback
mygif
Pingback from Vote for this article at blogengage.com
July 31st, 2008 @3:58 pm  
mygif
Pingback from Vulnerabilitate Pligg | PCNews
July 31st, 2008 @8:56 pm  
mygif
Pingback from meneame.net
August 1st, 2008 @1:46 am  

Related Post

Please Leave Your Comments Below

Please Note: All comments will be moderated

« Pligg Randomly Featured Story Module v0.1 Released
YADC: A Fork Of The Pligg CMS System Launches It’s BETA 1 Release »