Security vulnerabilities found in Reddit and Pligg

Pligg, the open source CMS that lets you easily create a RSVC (Digg-like) site, has a serious security vulnerability in all its versions, which enables malicious attackers to take control of the website. All Pligg admins are advised to apply the patch immediately.

In an unrelated incident, Reddit users discovered that Reddit doesn’t clean up the code in its comments very well, which can be used to employ an XSS-based attack. The vulnerability has already been fixed, and pasting the code in a Reddit comment will now result in the display of the following text: “I am a terrible person”. So, if you don’t want to be ridiculed by Redditers, don’t try it. Some more information about the hack can be gathered from this Digg thread.

15 Responses to “Security vulnerabilities found in Reddit and Pligg”

  1. Aaron Bassett Says:

    I’ve just finished a post on why XSS vulnerabilities need to be taken seriously (by posting some examples of how a malicious user could use XSS to steal login details etc) You can read it over on my blog: http://foobr.co.uk/2007/05/javascript_is_for_hackers/

  2. Stan Schroeder Says:

    @Aaron: thanks, the examples are great.

  3. Aaron Bassett Says:

    Cheers, I just thought the best way to show people why XSS is an issue to be taken seriously is to give them some examples of how it can be malicious.
    Alot of people on reddit thought it wasn’t a big deal as the only things that people were doing was removing the logo etc.

    But some people have yet to grasp just how powerfull Javascript can be and just how much damage could be caused by allowing users to inject it into your pages.

  4. Stan Schroeder Says:

    @Aaron: incidentally, both Croatian big blog services are currently under attack by a hacker (he’s posting unauthorized posts on blogs), and while my guess that it might be an XSS problem, the official word is to ‘change your passwords to something stronger’. I hope they’ll find someone who actually knows what he/she’s talking about to fix this for them.

  5. mineral cosmetic recipes Says:

    how many gigabytes do ipods have
    height and weight charts for s

  6. wallCoera Says:

    rationale tamper minty realize ephs beside pills

  7. Sabrina Fies Says:

    Hola, mi nombre es Sabrina y estube buscando por internet, fue entonces que encontre tu blog, el cual me gusto mucho, el cual es bastante agradable para leer. Regreso la proxima semana para leerte de nuevo. Saludos Sabrina

  8. malware bite Says:

    This is an excellent site, I will definitely be adding this blog to my bookmarks.

  9. wireless network help Says:

    Thank you so much for the awesome post, This was exactly what I needed to read

  10. security camera monitor Says:

    Good recap from you, i got myself lost in here if i hadn’t find your blog, thanks for your info

  11. Grace Whitehead Says:

    Just thought I would let you know that a Google lead me here, and sure am glad I found this site. I will be coming back over in a few days to see if there is updated posts.

  12. Curt Perreira Says:

    hey this blog is great. I’m glad I came by this blog. Maybe I can contribute in the near future. PM ME on Yahoo AmandaLovesYou702 Thank you day758

  13. jseo Ma Says:

    Wonderful site SEO hacking Gurus?AGOOD!!:)

  14. Kristina U. Hutchinson Says:

    I purchased a cctv system from sams club. What a mistake. Bad quality products. I guess you get what you pay for. I found cctvboss via google and whilst they were not the cheapest to buy from, they sure knew their products and the service was great.

  15. Free Insur Says:

    Here you can get all the insurances you need Free Insurance guide.

Leave a Reply