A very serious bug has been found in _all_ versions of Pligg. We have a patch available here. We advise you to apply this immediately.
For 9.0, 9.1, 9.5 versions
1) upload the upgrade_login.php into your root Pligg folder. Not the install folder. Then open the file in your browser. If you have *any* errors, let us know as many details as you can so we can help you fix it.
2) upload the appropriate login.php file. Rename your existing /login.php file to /login.php.bak, rename the new one you just uploaded to /login.php. Please note, this is NOT the /libs/login.php file.
3) If you can login / logout without any problems, then delete the .bak file.
We expect to release a beta 9.5.1 (security update) before the end of the month to fix this and a few other bugs we found.
Thanks.
ps: if you want to manually edit your login file, look here.
 |
| | LinkBack | Thread Tools | Display Modes |
05-26-2007, 10:08 PM
| ||||
| ||||
| Security Vulnerability
__________________ - Ash Last edited by AshDigg; 05-26-2007 at 11:23 PM.. |
|
05-26-2007, 10:59 PM
| |||
| |||
|
What exactly was the problem, and how bad of a risk is it to not apply this update? (These questions should be addressed in all Security updates if possible) |
|
05-26-2007, 11:05 PM
| ||||
| ||||
|
Pls check here Pligg Security Vulnerability - Password Change Request, there was a security hole which had the risk of site takeover - but thankfully Ash got it fixed sooner. Pls take some additional precautions also as outlined in that thread to protect your site better.
__________________ Meme or Lame Magazine - a top rated niche site that sends more traffic - citizen media for Gizmophiles Have a Mobile phone try Dollars 5 Complete software to make your mobile complete Last edited by dollars5; 05-26-2007 at 11:44 PM.. |
|
05-26-2007, 11:09 PM
| |||
| |||
|
One point I'd like to share is the note to change /login.php to /login.php.bak I wouldn't leave any .bak extension files of any kind on a server. I've seen those exploited by hackers before. |
|
05-26-2007, 11:15 PM
| ||||
| ||||
| Quote:
__________________ - Ash |
|
05-26-2007, 11:15 PM
| |||
| |||
|
What about earlier versions of Pligg? I am running a modified 8.2.
|
|
05-26-2007, 11:25 PM
| ||||
| ||||
| Quote:
__________________ - Ash Last edited by AshDigg; 05-27-2007 at 12:01 AM.. |
|
05-26-2007, 11:52 PM
| |||
| |||
|
Okay, I did as instructed but when I brought up the upgrade_0.8.2.php file in my browser nothing is displayed but a blank white page. I am using FireFox. Is that what is supposed to happen? I was expecting at least a "patch applied" message.
|
|
05-27-2007, 12:02 AM
| ||||
| ||||
| Quote:
__________________ - Ash |
|
05-27-2007, 12:08 AM
| |||
| |||
|
Just thought I would throw this out there. As a Pligg community lets not throw this up on DIGG or any other information source that will attract hackers attention . If I am totally wrong I apologize  |
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Security Vulnerability Part 2 | AshDigg | Pligg News | 17 | 06-17-2007 02:28 PM |
| Pligg Security Vulnerability - Password Change Request | sunstardude | Bug Report | 19 | 06-01-2007 01:53 PM |
