Yet More Security Vulnerabilities Found In Pligg V9.9.0

On Tuesday of this week we alerted Pligg based CMS users to a Remote SQL Injection Vulnerability that was present within the story.php. This issue is caused by an input validation error in the “story.php” script when processing the “id” parameter. The vulnerability could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information. Today evidence has arisen from James Bercegay of the GulfTech Security Research Team that would indicate that Pligg has many, many more security vulnerabilities from SQL attacks.

First we have information on another SQL Injection vulnerability discovered today that allows hackers freely to modify and inject information into any of you pligg template files. Remote Code Execution Template Exploit.

Finally we have a massive list which was also documented today by James Bercegay of the GulfTech Security Research Team Pligg 9.9.0 Multiple Vulnerabilities. James has found a lot of Vulnerabilities within the pligg system which are extremely worrying.

Exactly when the fixed/updated version of pligg will be released is at this time still unknown and since losing their lead developer AshDigg back in February Pligg’s overall development hasn’t been the fastest since then.

NOTE: These issues affect Pligg 9.9.0 and prior versions.

Update: AshDigg Pligg’s former lead developer has released a fork of the pligg codebase titled YADC, YADC fixes all security holes found within the pliggv9.9.0 codebase.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Article Details

#

Author: on July 31st, 2008

Category: Pligg

Tags: , , , , ,

  1. pete says:

    You released a version of Pligg. Where are your security fixes? I guess you are just waiting until Pligg release theirs so you can add them to your version and take all the credit?

    I’m also surprised that James Bercegay of GulfTech Security Research Team would allow you to publicly post post his findings.. I guess that’s how they do business. Generally any serious or professional IT security team would never allow this information to be public. So only 2 conclusions can be drawn. You illegally published his findings, or GulfTech is a scam looking to exploit money from Pligg. Either way it’s bad news all around.

  2. amuzihqzi says:

    Shame on socialcmsbuzz telling people how to exploit a pliqq. Shame on GulfTech Security to post in the wild. Never EVER do business with them.

  3. stephan says:

    “Generally any serious or professional IT security team would never allow this information to be public.”

    Since when do IT Security teams not release their findings publicly? It is what they do! (everyone from symantec to secunia do this, duh) I think it is safe for you to take off your tin foil hat now. lol Also, I don’t think he stole the information either as I found out about it here after I was hacked.

    http://www.securityfocus.com/bid/30458/discuss

    Since the Pligg developers seem to be a bunch of slackers I wanted details of the vulnerabilities so that I could fix them myself and get my site back up.

    On a more serious note I hope these issues are fixed soon. My webhost temporarily suspended my account cause my Pligg was used to send spam after it was hacked 🙁

  4. Tiaranda says:

    “Shame on GulfTech Security to post in the wild. Never EVER do business with them.”

    What an ignorant statement, have you ever even dealt with them? GulfTech do great work, and are simply amazing compared to the company that we had reviewing our products before.

    If anything, people should be cautious of a software vendor who does not care enough about their products (or their users) to have them professionally secured.

    On another note, as a long time Pligg user I am definitely switching to YaDC since they are actually the project that secured Pligg when all these vulnerabilities were found. I still can’t believe Yankidank and Co. ganked the fixes from YaDC without even giving due credit :-\ Maybe he should call himself Yankigank lol

  1. Vote for this article at blogengage.com
  2. Vulnerabilitate Pligg | PCNews
  3. meneame.net