Security Vulnerability Part 2

[AshDigg]

I'm very sorry to inform you that the patch I posted the other day created another very serious problem. We have a patch available here and advise you to apply this immediately. If you have not installed the first patch, you don't need to, just install this one. If you did install the first patch, then just replace the login file.

I'm very sorry for the inconvenience and thank you for your support.



If you upgrade to Beta 9.6 it already has the fix included.


Instructions for Beta 9.0, 9.1 and 9.5

1) upload the upgrade_login.php into your root Pligg folder. Not the install folder. Then open the file in your browser. If you have *any* errors, let us know as many details as you can so we can help you fix it. This only needs to be done once, so if you did it within the last 2 days you don't need to again.

2) upload the appropriate login.php file. Rename your existing /login.php file to /login.php.bak, rename the new one you just uploaded to /login.php. Please note, this is NOT the /libs/login.php file.

3) If you can login / logout without any problems, then delete the .bak file.

[AshDigg]

Instructions for Beta 8.2

1) upload the upgrade_0.8.2.php into your root Pligg folder. Not the install folder. Then open the file in your browser. If you have *any* errors, let us know as many details as you can so we can help you fix it. This only needs to be done once, so if you did it within the last 2 days you don't need to again.

2) upload the 8.2_login.php file. Rename your existing /login.php file to /login.php.bak, rename the new one you just uploaded to /login.php. Please note, this is NOT the /libs/login.php file.

3) If you can login / logout without any problems, then delete the .bak file.

If the upgrade file just shows a blank page, try to run this in phpMyAdmin.

Code:

ALTER TABLE `users` ADD `last_reset_code` varchar(255) default NULL

[AshDigg]

Instructions for Beta 7.2

1) upload the upgrade_0.7.2.php into your root Pligg folder. Not the install folder. Then open the file in your browser. If you have *any* errors, let us know as many details as you can so we can help you fix it. This only needs to be done once, so if you did it within the last 2 days you don't need to again.

2) upload the 7.2_login.php file. Rename your existing /login.php file to /login.php.bak, rename the new one you just uploaded to /login.php. Please note, this is NOT the /libs/login.php file.

3) If you can login / logout without any problems, then delete the .bak file.

If the upgrade file just shows a blank page, try to run this in phpMyAdmin.

Code:

ALTER TABLE `users` ADD `last_reset_code` varchar(255) default NULL

[Fernandojs]

Thanks!

upgrade is complete!

[dollars5]

NP m8, atleast you found it earlier and fixed it sooner before it hasbeen exploited - kudoos to you and thanks for the fix.

[sam07]

Thanks for the heads up!

[skins4webs]

Thanks again.

Upgrade was successful.

[mStudios]

this worked really well - and this time there was no white page here :-)

[bichopro]

Thanks so much

[harlem]

thanks for catching it early and for an even quicker response.