[SOLVED] Do NOT run version 9.9.0!!!

[KerryG]

Fair warning to everyone, 9.9 is RIDDLED with security holes. My pligg 9.9 site was running less than 24 hours and my hosting provider shut it down because it had been compromised and other scripts installed that were doing bad things. A few internet searches shows quite a few SQL injection bugs and total lack of sanitation of input parameters as well as a nice hack to get anyone's password.

If you are running pligg 9.9, you will be compromised very, very soon. Posting a quaint warning that there are security holes that have fixes and workarounds and not posting those fixes or workarounds is a complete disservice to the 16,000 people who have downloaded this version.

Does anyone know if these are only issues with 9.9 and can an older version be used? Due to the nature of these issues I am assuming it is probably all versions of pligg that are vulnerable.

Users beware, again, your 9.9 sites are wide open for attack and all anyone has to do is a quick google search to find your site and its all over.

[onlinebisnes]

its version 0.9.9.. not ver 9.9
I guess this is an old story..we are all still waiting the new version to came out.

[catchpen]

KerryG - Did your hosting provider give you any details? It would be nice to know what happened and how.

[ddluk]

Yes, sorry off course it's 0.9.9. We will see in next few hours if that is old story. When they don't release new version using Pligg will be dangerous.

@catchpen

They don't need to give him any details, only look to that exploit I provided link. Run it and see that it can change your files in your template folder, so everyone can customize it to include to one off your template file any code they want.

[sixlaneve]

let's wait for 1.0 then...

anyway, nothing stop us to develop on 0.9.9 and upgrade later i think

[Yankidank]

All known security issues should be patched by weeks end. Please be patient as we work on providing you with a solution as quickly as possible.

[KerryG]

All known security issues should be patched by weeks end. Please be patient as we work on providing you with a solution as quickly as possible.

I don't think you fully appreciate the issue here. It is highly recommended that anyone using 0.9.9 take their site OFFLINE immediately. The hacker used an exploit that allowed them to install a script called hello.php into the root directory of my installation. My provider only told me that the script was doing "bad things" and so they disabled my account which shut off 10 different websites. You should post what all of the known security issues are and the current code to fix them and you might actually get some help from your community in solving the problems.

I run a much larger open source project than this and I have found that you need to be as open as possible to your users and they will respond by giving you assistance during problems like this. If you keep try to minimize a significant problem like this, it only hurts you and the project.

[KerryG]

For anyone that doesn't understand how bad this is, there is a very simple script available that you run and point to a pligg site, within about 2 seconds you have SHELL access to that site and can do anything you want. This isn't a simple page hack, this is a SERIOUS security problem that gives a hacker complete access to your entire hosting environment. Once you have shell access you can sit there and download files, edit files, install code, pretty much anything you want.

[justelite]

my website was hacked today! Yestersday I just upgrade it at Pligg Beta 9.9.0.

[justelite]

I digg the issue and I found how the attacker found my site:

"Powered By Pligg" - Google'da Ara

He search for Powered By Pligg!!

He modify my footer and put By BeyazKurt words.
Also put some redirect to a page.