[SOLVED] Do NOT run version 9.9.0!!!

[KerryG]

Quote:

Originally Posted by justelite

my website was hacked today! Yestersday I just upgrade it at Pligg Beta 9.9.0.

Sorry to hear that but you will not be the last since there is no urgency by the developers to solve this. Anyone using 0.9.9 should disable their sites immediately or risk the same thing. This is not a small risk, this is a critical risk to any site using this version. The exploit code works WAY too well.

[justelite]

http://www.pickknow.com/ - another pligg down

[ddluk]

Ok. There is a temporary solution to avoid using that script. You need give the files admin_editor.php and settemplate.php chmod 000 or copy it to your hard disk and delete it from your hosting. The exploit use admin_editor.php to edit your template files, after chmodiing or deleting they can't edit it. They can get the name of admin (in standard) but the can't do nothing more.

That's only temporary fix, when Pligg team release update you can put files to your web host.

[KerryG]

Quote:

Originally Posted by ddluk

Ok. There is a temporary solution to avoid using that script. You need give the files admin_editor.php and settemplate.php chmod 000 or copy it to your hard disk and delete it from your hosting. The exploit use admin_editor.php to edit your template files, after chmodiing or deleting they can't edit it. They can get the name of admin (in standard) but the can't do nothing more.

That's only temporary fix, when Pligg team release update you can put files to your web host.

The shell exploit is in index.php, you can't really remove that one. The way that is done is though an exploit in vote.php. Your solution is only a partial fix but if the site is still running it is still vulnerable to the very dangerous shell exploit. Removing those files does not protect your system at this time.

[ddluk]

Thanks catchpen. I look into that files and find simple solution. You need to open file vote.php, then find line:

Code:

if($_POST['id']){

and edit it to that:

Code:

if(is_numeric($_POST['id'])){

Open settemplate.php, then find:

Code:

if(file_exists("./templates/".$_GET['template']."/link_summary.tpl")){

and change into:

Code:

if(file_exists("./templates/".$_GET['template']."/link_summary.tpl")) && strpos('.', $_GET['template']) === 0){

Open login.php, then find:

Code:

$username = trim($_POST['username']);
$password = trim($_POST['password']);

and change to that:

Code:

$username = sanitize(trim($_POST['username']), 3);
$password = sanitize(trim($_POST['password']), 3);

find

Code:

$username = trim($_POST['username']);

and change to:

Code:

$username = $db->escape(trim($_POST['username']));

find:

Code:

$username = trim($_GET['username']);

and change to:

Code:

$username = sanitize(trim($_GET['username']), 3);

Open cvote.php, then find:

Code:

$comment->id=$_POST['id'];

(line 20)

after that paste:

Code:

if(!is_numeric($comment->id)){die();}

Open edit.php, then find:

Code:

$link->commentid=$_REQUEST['commentid'];

and after that paste :

Code:

if(!is_numeric($link->commentid)){die();}

[gen3ric]

Do we know if this exploit only applies to v9.9 or previous versions as well?

[ddluk]

After that code changing exploit doesn't work :)

[KerryG]

I made all of those changes and the exploit script still gets my shell access.

[lumpen5]

Ok I have updated my code.

Posting, viewing, voting all seem to work

[ddluk]

Quote:

Originally Posted by KerryG

I made all of those changes and the exploit script still gets my shell access.

Hmmm that's impossible. Give me your site address via pm.