Admin - Huge Security Vuln

[andiroo]

Hello i am a PHP developer, i'm pretty decent at finding security vulns and bugs. I also work on http://www.jinzora.org making sure their code is a secure as possible.

Upon examing the pligg code i have found some serious vulnerabilities, that can lead to account hijacking on a viral scale like the MySpace worm. I'm not sure what features the Admin accounts have but i think this exploit won't lead to a server compremise(if the admin can upload php scripts then the sever can be compremised)

Obviously i won't post this vulnerability on the forum but i will give you 3 days to contact me (andiroo@gmail.com) by email. If you fail to contact me within the 3 days i will release the details and a PoC on the forum.

If you do contact me i will try and assit you in fixing this problem. I'm sorry for having to threaten you with 3 days to get in contact with me BUT i've had some companies fail to respond when i notify them of securit problems within their product. This way general forces most companies to comply.

Thanks
P.S I will need proof of who you are, such as putting a hidden file on www.pligg.com and sending me the link to prove to me you are the gunine owners of pligg.com. We wouldn't want some hackers getting ahold of this with malicious intent do we?

[kbeeveer46]

Thanks for letting us know. You're in the IRC chat with me now so I will probably talk to you there.

[andiroo]

Wow i should have proof read that message.

Ash has been in contact. Within 10mins of me contacting pligg! Hopefully this will be sorted soon.

[francis]

Hello,
Thanks to andiroo for his discovery! We're evaluating Pligg for a corporate implementation; is it as serious as first thought?

Thanks,
Francis

[kbeeveer46]

It was fixed within the hour after contacting Ash about it.

[Yankidank]

We're that good.