« Quick news: Facebook F8, MyBlogLog tags, Google Calendar mobile
Web 2.0 buttons, 3D style! »

Security vulnerabilities found in Reddit and Pligg

Pligg, the open source CMS that lets you easily create a RSVC (Digg-like) site, has a serious security vulnerability in all its versions, which enables malicious attackers to take control of the website. All Pligg admins are advised to apply the patch immediately.

In an unrelated incident, Reddit users discovered that Reddit doesn’t clean up the code in its comments very well, which can be used to employ an XSS-based attack. The vulnerability has already been fixed, and pasting the code in a Reddit comment will now result in the display of the following text: “I am a terrible person”. So, if you don’t want to be ridiculed by Redditers, don’t try it. Some more information about the hack can be gathered from this Digg thread.

This entry was posted on Sunday, May 27th, 2007 at 4:42 am and is filed under Web, Web 2.0, News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Security vulnerabilities found in Reddit and Pligg”

  1. Aaron Bassett Says:
    May 27th, 2007 at 7:30 am

    I’ve just finished a post on why XSS vulnerabilities need to be taken seriously (by posting some examples of how a malicious user could use XSS to steal login details etc) You can read it over on my blog: http://foobr.co.uk/2007/05/javascript_is_for_hackers/

  2. Stan Schroeder Says:
    May 27th, 2007 at 8:32 am

    @Aaron: thanks, the examples are great.

  3. Aaron Bassett Says:
    May 28th, 2007 at 12:25 am

    Cheers, I just thought the best way to show people why XSS is an issue to be taken seriously is to give them some examples of how it can be malicious.
    Alot of people on reddit thought it wasn’t a big deal as the only things that people were doing was removing the logo etc.

    But some people have yet to grasp just how powerfull Javascript can be and just how much damage could be caused by allowing users to inject it into your pages.

  4. Stan Schroeder Says:
    May 28th, 2007 at 12:35 am

    @Aaron: incidentally, both Croatian big blog services are currently under attack by a hacker (he’s posting unauthorized posts on blogs), and while my guess that it might be an XSS problem, the official word is to ‘change your passwords to something stronger’. I hope they’ll find someone who actually knows what he/she’s talking about to fix this for them.

  5. mineral cosmetic recipes Says:
    April 15th, 2009 at 5:53 am

    how many gigabytes do ipods have
    height and weight charts for s

Leave a Reply