Security Issue with Default Pligg Captcha

It’s come to our attention that there is an exploit available to bypass the default Pligg captcha method. The security issue seems to be the exploit that the hacker software “Auto-Pligg” is using to skip past user registration. We know what is causing the problem and are working on a fix that should be available shortly on the SVN and in the next version of Pligg which will be out shortly. The next version (9.9.6) will include several more security fixes and a few general upgrades. We also plan to offer a patch download for those who have recently downloaded Pligg 9.9.5 and will only want the updated files.For now please switch your sites to the Recaptcha or “White Hat” captcha method using your Pligg Admin Panel until we post a solution.

7 thoughts on “Security Issue with Default Pligg Captcha

  1. I got the similar problem, for the time being i have had my administration folder changed to 440 and disable all the SSH access…So far, my site alive…

  2. When do you anticipate 9.9.6 being available? I’ve not updated to 9.9.5 yet… should I just wait?

  3. Hi, I am new to Pligg. When you saw auto-pligg is bypassing captcha, are you just talking about users or is this s/w gaining control of admin panel also? Please clarify. It was not clear from your post. Thanks.

  4. To my knowledge the auto-pligg software was only generating mass amounts of users to add stories and then promote them. They may have also been logging into admin accounts for sites that were too lazy to change the default admin user account password.

Comments are closed.