Yet More Security Vulnerabilities Found In Pligg V9.9.0
On Tuesday of this week we alerted Pligg based CMS users to a Remote SQL Injection Vulnerability that was present within the story.php. This issue is caused by an input validation error in the “story.php” script when processing the “id” parameter. The vulnerability could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information. Today evidence has arisen from James Bercegay of the GulfTech Security Research Team that would indicate that Pligg has many, many more security vulnerabilities from SQL attacks.
First we have information on another SQL Injection vulnerability discovered today that allows hackers freely to modify and inject information into any of you pligg template files. Remote Code Execution Template Exploit.
Finally we have a massive list which was also documented today by James Bercegay of the GulfTech Security Research Team Pligg 9.9.0 Multiple Vulnerabilities. James has found a lot of Vulnerabilities within the pligg system which are extremely worrying.
Exactly when the fixed/updated version of pligg will be released is at this time still unknown and since losing their lead developer AshDigg back in February Pligg’s overall development hasn’t been the fastest since then.
NOTE: These issues affect Pligg 9.9.0 and prior versions.
Update: AshDigg Pligg’s former lead developer has released a fork of the pligg codebase titled YADC, YADC fixes all security holes found within the pliggv9.9.0 codebase.
If you enjoyed this post, make sure you subscribe to our RSS feed!
Related Articles
-
Pligg Beta 9.9.0 Remote SQL Injection Vulnerability Discovered
A new security vulnerability in Pligg V9.9.0 has been discovered at milw0rm.com, the exact type of security threat is that of a Remote SQL Injection in Pligg's -
YADC: A Fork Of The Pligg CMS System Launches It’s BETA 1 Release
YADC which stands for "Yet Another *igg CLone" Launches it's BETA 1 version to the public today, YADC is a fork of the popular Pligg CMS System -
Pligg Beta v9.9.5 Released Or Should We Call It YADC?
Pligg have just released an updated version of their popular digg clone cms system to the pligg community, v9.9.5 has been released to combat that vast amount -
SocialCMSBuzz gets banned from the pligg forums for revealing PYcURL Security Vurnability
We had previous indications that the pligg team couldn't handle criticism well from the experience of reading certain posts in their forums, now however they have turned -
Pligg v9.9.5 New Captcha Bypass Security Exploit Found
After the hurried and somewhat controversial release of Pligg v9.9.5 to fix some really bad security exploits it has come to light today that a new exploit
amuzihqzi 
stephan 
Hi Alex,
You shouldn't need the fix now as the modules has been updated a few times since then and the ...
I cannot for the life of me get the latest version to setup for me.
Any tips or all in one ...
Hi Lincoln,
Thanks for this epic set of tutorials!
You mention a "fixed" package above for the EVB but I can't find ...
This Theme is Simply Fabulous. Goes well with any type of types i think!
Thanks a Lot for the Post
----
Alex | ...
All you sales links form your themes are going to your own site... are you collecting paypal logins or have ...
adding in rss reader too, like this module ^^ 
thanks! I LIKE THE 'Wynton Magazine' theme! 
You released a version of Pligg. Where are your security fixes? I guess you are just waiting until Pligg release theirs so you can add them to your version and take all the credit?
I’m also surprised that James Bercegay of GulfTech Security Research Team would allow you to publicly post post his findings.. I guess that’s how they do business. Generally any serious or professional IT security team would never allow this information to be public. So only 2 conclusions can be drawn. You illegally published his findings, or GulfTech is a scam looking to exploit money from Pligg. Either way it’s bad news all around.