[AshDigg]

A very serious bug has been found in _all_ versions of Pligg. We have a patch available here. We advise you to apply this immediately.

For 9.0, 9.1, 9.5 versions
1) upload the upgrade_login.php into your root Pligg folder. Not the install folder. Then open the file in your browser. If you have *any* errors, let us know as many details as you can so we can help you fix it.

2) upload the appropriate login.php file. Rename your existing /login.php file to /login.php.bak, rename the new one you just uploaded to /login.php. Please note, this is NOT the /libs/login.php file.

3) If you can login / logout without any problems, then delete the .bak file.

We expect to release a beta 9.5.1 (security update) before the end of the month to fix this and a few other bugs we found.

Thanks.

ps: if you want to manually edit your login file, look here.

[deadhobo]

What exactly was the problem, and how bad of a risk is it to not apply this update?

(These questions should be addressed in all Security updates if possible)

[dollars5]

Pls check here Pligg Security Vulnerability - Password Change Request, there was a security hole which had the risk of site takeover - but thankfully Ash got it fixed sooner.

Pls take some additional precautions also as outlined in that thread to protect your site better.

[robaubie]

One point I'd like to share is the note to change /login.php to /login.php.bak

I wouldn't leave any .bak extension files of any kind on a server. I've seen those exploited by hackers before.

[AshDigg]

Quote:

Originally Posted by robaubie

One point I'd like to share is the note to change /login.php to /login.php.bak

I wouldn't leave any .bak extension files of any kind on a server. I've seen those exploited by hackers before.

Good point, update my instructions, thanks

[DuckFat]

What about earlier versions of Pligg? I am running a modified 8.2.

[AshDigg]

Quote:

Originally Posted by DuckFat

What about earlier versions of Pligg? I am running a modified 8.2.

For 8.2 follow the same instructions but use these files.

[DuckFat]

Okay, I did as instructed but when I brought up the upgrade_0.8.2.php file in my browser nothing is displayed but a blank white page. I am using FireFox. Is that what is supposed to happen? I was expecting at least a "patch applied" message.

[AshDigg]

Quote:

Originally Posted by DuckFat

Okay, I did as instructed but when I brought up the upgrade_0.8.2.php file in my browser nothing is displayed but a blank white page.

I just replaced the file. Please try it again. thanks

[ThePortlander]

Just thought I would throw this out there. As a Pligg community lets not throw this up on DIGG or any other information source that will attract hackers attention . If I am totally wrong I apologize