It’s come to our attention that there is an exploit available to bypass the default Pligg captcha method. The security issue seems to be the exploit that the hacker software “Auto-Pligg” is using to skip past user registration. We know what is causing the problem and are working on a fix that should be available shortly on the SVN and in the next version of Pligg which will be out shortly. The next version (9.9.6) will include several more security fixes and a few general upgrades. We also plan to offer a patch download for those who have recently downloaded Pligg 9.9.5 and will only want the updated files.

For now please switch your sites to the Recaptcha or “White Hat” captcha method using your Pligg Admin Panel until we post a solution.

35,000 emails have been sent out this evening to let Pligg users know that we have a security fix out to patch some of the recent vulnerabilities discovered in the Pligg core. The contents of the email can be found below.

Download Pligg 9.9.5

This week has been a stressful week for many Pliggers due to a security vulnerability discovered and exploited by a few hackers. It seems that even though we have not provided any changes in code over the past several months, three separate people seemed to find holes in the Pligg software all within the same few days. Since we first discovered the problem we have been frantically trying to patch the hole and get a release out to the public, and tonight we are ready to provide you with the first solution in protecting your Pligg site. I must thank many of you for posting to the forums some of the fixes that we have applied

First, please update to the latest version of Pligg available (currently 9.9.5). This release that was published just minutes ago should take care of many security vulnerabilities that the hackers are exploiting. I have also hired a third party expert to analyze and patch any security holes that might still exist in Pligg. I have also hired a part time coder to assist in developing Pligg over the next month as we approach 1.0. Any updates that I receive from either of these people will be added to the SVN and shortly after that the next Pligg version.

Second, we are developing a feature that will create registration confirmation emails that will hopefully stop, or at least slow down spammers and some hackers. You can expect this (along with a new default Pligg template) in version 1.0 which is due out soon.

Third, we will be providing you with frequent updates now through the Pligg blog as we continue to develop and refine our software. I am committed to improving Pligg and bringing in several new free templates over the next month. The latest version of Pligg will now display the latest Pligg Blog titles in the admin panel so you can keep an eye on developments.

Last but not least I must announce our new SVN server URL. We have changed services so that our developers can communicate and track changes better. You can now find our new SVN URL at:
https://pligg.svn.beanstalkapp.com/pligg/

You can also keep track of our SVN changes through Twitter using this url: http://twitter.com/pligg