After many sites started “web2.0 social networks” with Bulgarian language support, I’was thinking this system is secured, but it is not…
1st of all some of the pages are secured (almost), with some kind of randomkeys binded to “stories” and etc. This is usable when vote is going to be recorded in the databse, so “faking” votes with only XSS techniques (and automating them) is maybe impossible.
1. But, where is the security when trying to change any other data ?
For example: http://example.com/pligg/profile.php
Nobody is guarding here, using forms + iframes or xml request we can change any already logged in user’s information without any problems. (maybe I will add proof of concept here soon).
2. Password security ?
Ok, the passwords are saved in “sha1″ method, then there is a salt used in the whole story, but what is the salt ?
What ever, the salt is $hashed_password{0,SALT_LENGTH}, and by default SALT_LENGTH = 9, changing it after we have users in the system will bring us alot of problems, so maybe there were idea about “good password crypting”, but the implementation is funny. Hey boys, use HMAC!
3. “Cookie stealing”? can this be done ?
Maybe it can be done, but there is a bigger problem. The “homemade” crypt method is doubled with an md5 of the hash and later is it saved in the COOKIE that has been base64_encoded.
As I already said, this is a big fun
4. Path disclosure
Path disclosure is available if you try to upload file that has “image/jpeg” content-type (easy spoofable), but is it not an image. Just try to rename any “non-image” file to .jpg an try uploading it as avatar.
Summary:
Password hashing is hard to crack, but not impossible. Hashes are ~3.7414441915671115e+50 possibilities and this means that running an iterator for md5 generation of that count of possibilities will be the only “hard” part cracking passwords from Pligg’s database. Ofcourse doing md5->sha1 is the 1st step, later we must use collisions technique for SHA1. After all, the passwords cant be reversed, but using collisions we can login with any users credentials.
This so-called “CMS”, has alot of code, but only a part of it are wroten strictly and serious. For 2 hours, 4 possible exploits found. Use it at your own risk.
PS: Chuckroas @ Pligg.com, had been informed for the issues and I’will wait with the Proof of concepts until they release updates and patches.
