[sunstardude]

I just received the following in my email. Is this an issue known to the Pligg devs? Any way to fix it at this point or do I need to wait for a future version?

[Simon]

This should be fixed pretty quickly!

Why not just create a completely random string, store it in a user db field, then check for a match once the rest url is clicked on. If a match is found, password reset, and the field is wiped clean until next time. That way, it should be a 1-off random string that can't be cracked.

Something like:

Code:

    if($_POST["processlogin"] == 3) { // if user requests forgotten password
        $username = trim($_POST['username']);
        if(strlen($username) == 0){
            $errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
        } else {
            $user = $db->get_row("SELECT * FROM `" . table_users . "` where `user_login` = '".$username."'");
            if($user){
                $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
                $confirm_code = md5($user->user_login . uniqid(rand(), true));
                $to = $user->user_email;
                $subject = $main_smarty->get_config_vars("PLIGG_PassEmail_Subject");
                $body = $main_smarty->get_config_vars("PLIGG_PassEmail_Body") . $my_base_url . $my_pligg_base . '/login.php?processlogin=4&username=' . $username . '&confirmationcode=' . $confirm_code;
                $headers = 'From: ' . $main_smarty->get_config_vars("PLIGG_PassEmail_From") . "\r\n";
                if(time() - strtotime($user->last_reset_request) > $main_smarty->get_config_vars("PLIGG_PassEmail_LimitPerSecond")){
                    if(mail($to, $subject, $body, $headers)) {
                        $main_smarty->assign('user_login', $user->user_login);
                        $main_smarty->assign('profile_url', getmyurl('profile'));
                        $main_smarty->assign('login_url', getmyurl('loginNoVar'));
                        $errorMsg = $main_smarty->get_config_vars("PLIGG_PassEmail_SendSuccess");
                        $db->query("UPDATE " . table_users . " SET last_reset_request=FROM_UNIXTIME(".time()."), user_confirm='$confirm_code' WHERE user_login='$username'");
                        define('pagename', 'login'); 
                        $main_smarty->assign('pagename', pagename);
                    } else {
                        $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Delivery_Failed');
                    }
                } else{
                    $errorMsg = $main_smarty->get_config_vars("PLIGG_PassEmail_LimitPerSecond_Message");
                }
            } else{
                $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Does_Not_Exist');
            }
        }
    }

    if($_GET["processlogin"] == 4) { // if user clicks on the forgotten password confirmation code
        $username = trim($_GET['username']);
        if(strlen($username) == 0){
            $errorMsg = $main_smarty->get_config_vars("PLIGG_Visual_Login_Forgot_Error");
        } else {
            $confirmationcode = strip_tags($_GET["confirmationcode"]);
            $user_confirm = $db->get_var("SELECT user_confirm FROM " . table_users . " WHERE user_login='$username'");
            if($user_confirm == $confirmationcode && $user_confirm != '') {
                $db->query("UPDATE " . table_users . " SET user_pass='033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750', user_confirm='' WHERE user_login='$username'");
                $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_PassReset');
            } else {
                $errorMsg = $main_smarty->get_config_vars('PLIGG_Visual_Login_Forgot_ErrorBadCode');
            }
        }
    }

Then create a new field called user_confirm in the users table. Probably better ways to do it, but that's what I've done for now until devs come up with something more concrete.

[AshDigg]

Yes I'm aware of it and working on it.

[tuxsoul]

Hi, i'm newbie but make one rule to mod_security 2, for stop the reset password while a fix is release

Code:

SecRule REQUEST_URI|ARGS|ARGS_NAMES "login.php\?processlogin=4\&username=[[:graph:]]+\&confirmationcode=[[:graph:]]+" \
        "capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Pligg Reset Password Attack. Matched signature <%{TX.0}>',,id:'400001',severity:'2'"

[wwwSENSERELYcom]

could you guys be more specific, at least by PM? Because it's starting to worry me, I've just launched my first pligg site, what can happren with the password resetting? I use url2 but i don't understand the problem nor the solution!

[Yankidank]

AshDigg has created a patch and we are currently testing it.

[dollars5]

The first thing we do on any Pligg installations is to change the admin user_name to something other than God and use the god user only for administration and that user will not post/vote on stories, also we added a small additional query to remove the user for top users list (where user_id > 1) - this way there is less possibility that a hacker can predict and attach on any system.

[AshDigg]

The patch is here.

[dollars5]

Good to get it fix faster.

[revolver]

This is exactly what I've done in the past as well.

Quote:

Originally Posted by dollars5

The first thing we do on any Pligg installations is to change the admin user_name to something other than God and use the god user only for administration and that user will not post/vote on stories, also we added a small additional query to remove the user for top users list (where user_id > 1) - this way there is less possibility that a hacker can predict and attach on any system.