

![]() |
| | Thread Tools | Display Modes |
| |||
|
I just received the following in my email. Is this an issue known to the Pligg devs? Any way to fix it at this point or do I need to wait for a future version?
Last edited by AshDigg; 05-25-2007 at 05:19 PM. |
| |||
|
This should be fixed pretty quickly! Why not just create a completely random string, store it in a user db field, then check for a match once the rest url is clicked on. If a match is found, password reset, and the field is wiped clean until next time. That way, it should be a 1-off random string that can't be cracked. Something like: Code: if($_POST["processlogin"] == 3) { // if user requests forgotten password
$username = trim($_POST['username']);
if(strlen($username) == 0){
$errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
} else {
$user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_login` = '".$username."'");
if($user){
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
$confirm_code = md5($user->user_login . uniqid(rand(), true));
$to = $user->user_email;
$subject = $main_smarty->get_config_vars("PLIGG_PassEmail_Subject");
$body = $main_smarty->get_config_vars("PLIGG_PassEmail_Body") . $my_base_url . $my_pligg_base . '/login.php?processlogin=4&username=' . $username . '&confirmationcode=' . $confirm_code;
$headers = 'From: ' . $main_smarty->get_config_vars("PLIGG_PassEmail_From") . "\r\n";
if(time() - strtotime($user->last_reset_request) > $main_smarty->get_config_vars("PLIGG_PassEmail_LimitPerSecond")){
if(mail($to, $subject, $body, $headers)) {
$main_smarty->assign('user_login', $user->user_login);
$main_smarty->assign('profile_url', getmyurl('profile'));
$main_smarty->assign('login_url', getmyurl('loginNoVar'));
$errorMsg = $main_smarty->get_config_vars("PLIGG_PassEmail_SendSuccess");
$db->query("UPDATE " . table_users . " SET last_reset_request=FROM_UNIXTIME(".time()."), user_confirm='$confirm_code' WHERE user_login='$username'");
define('pagename', 'login');
$main_smarty->assign('pagename', pagename);
} else {
$errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Delivery_Failed');
}
} else{
$errorMsg = $main_smarty->get_config_vars("PLIGG_PassEmail_LimitPerSecond_Message");
}
} else{
$errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Does_Not_Exist');
}
}
}
if($_GET["processlogin"] == 4) { // if user clicks on the forgotten password confirmation code
$username = trim($_GET['username']);
if(strlen($username) == 0){
$errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
} else {
$confirmationcode = strip_tags($_GET["confirmationcode"]);
$user_confirm = $db->get_var("SELECT user_confirm FROM " . table_users . " WHERE user_login='$username'");
if($user_confirm == $confirmationcode && $user_confirm != '') {
$db->query("UPDATE " . table_users . " SET user_pass='033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750', user_confirm='' WHERE user_login='$username'");
$errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset');
} else {
$errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_ErrorBadCode');
}
}
} Last edited by Simon; 05-25-2007 at 05:25 PM. |
| ||||
|
Yes I'm aware of it and working on it.
|
| ||||
|
Hi, i'm newbie but make one rule to mod_security 2, for stop the reset password while a fix is release Code: SecRule REQUEST_URI|ARGS|ARGS_NAMES "login.php\?processlogin=4\&username=[[:graph:]]+\&confirmationcode=[[:graph:]]+" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Pligg Reset Password Attack. Matched signature <%{TX.0}>',,id:'400001',severity:'2'" ¿do you like my comment?, gift me one bitcoin: http://bitcoin.org : 1266FWznbEW1uLNPsLU9ATBxGuM1U19thB bitcoin pay forward project: http://bit.ly/cmpUs0 : 15pjRCNT2CpzVo7HQ6b6r4q18Vv4Da7y9K twitter: http://twitter.com/tuxsoul blog: http://blog.tuxsoul.com |
| ||||
|
could you guys be more specific, at least by PM? Because it's starting to worry me, I've just launched my first pligg site, what can happren with the password resetting? I use url2 but i don't understand the problem nor the solution!
|
| ||||
|
AshDigg has created a patch and we are currently testing it.
The Twitter Module for Pligg CMS! Register, Login, and Submit Stories with Twitter. An absolute MUST HAVE for all Pligg sites! |
| ||||
|
The first thing we do on any Pligg installations is to change the admin user_name to something other than God and use the god user only for administration and that user will not post/vote on stories, also we added a small additional query to remove the user for top users list (where user_id > 1) - this way there is less possibility that a hacker can predict and attach on any system.
|
| ||||
|
The patch is here.
|
| ||||
|
Good to get it fix faster.
|
| |||
|
This is exactly what I've done in the past as well. Quote:
|
![]() |
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Pligg Database User Name and Password... | ReddyEye | Questions and Comments | 1 | 08-02-2009 11:24 AM |
| Security Question - Pligg Sumbitter / Auto Pligg | MissDanni | Questions and Comments | 3 | 07-04-2009 11:34 AM |
| Pligg Donation Drive 2009 | chuckroast | Questions and Comments | 0 | 03-23-2009 05:42 PM |
| Pligg 9.9 - Cannot Change Password - "There was a token error." | sethc | Questions and Comments | 6 | 12-25-2008 11:14 AM |
| God cannot change his own password. | vanlawrence | Questions and Comments | 3 | 04-08-2008 05:35 PM |