Security Issue with Default Pligg Captcha
It’s come to our attention that there is an exploit available to bypass the default Pligg captcha method. The security issue seems to be the exploit that the hacker software “Auto-Pligg” is using to skip past user registration. We know what is causing the problem and are working on a fix that should be available shortly on the SVN and in the next version of Pligg which will be out shortly. The next version (9.9.6) will include several more security fixes and a few general upgrades. We also plan to offer a patch download for those who have recently downloaded Pligg 9.9.5 and will only want the updated files.
For now please switch your sites to the Recaptcha or “White Hat” captcha method using your Pligg Admin Panel until we post a solution.
August 5th, 2008 at 7:45 am
After that I Get Module Error #1 i, am not sure or it was before?
August 5th, 2008 at 5:31 pm
I switched to white hat captcha and my site got hacked again!
August 5th, 2008 at 8:50 pm
I got the similar problem, for the time being i have had my administration folder changed to 440 and disable all the SSH access…So far, my site alive…
August 6th, 2008 at 8:48 pm
When do you anticipate 9.9.6 being available? I’ve not updated to 9.9.5 yet… should I just wait?
August 16th, 2008 at 3:30 pm
jkjunkfilter, do not wait to update, 9.9.5 is very important.
September 1st, 2008 at 5:55 am
Hi, I am new to Pligg. When you saw auto-pligg is bypassing captcha, are you just talking about users or is this s/w gaining control of admin panel also? Please clarify. It was not clear from your post. Thanks.
September 1st, 2008 at 10:58 am
To my knowledge the auto-pligg software was only generating mass amounts of users to add stories and then promote them. They may have also been logging into admin accounts for sites that were too lazy to change the default admin user account password.