Pligg, a popular open source CMS (Digg Clone), has a substantial security vulnerability - I seriously doubt I’m the first to notice this (it’s not the vulnerability found in late May ‘07 though. During installation you are required to delete the original username and password, but I found quite a few problematic installations. I plan on notifying these sites, although they look abandoned at the moment.

I noticed this issue when reviewing statistics for a current installation. The search term “powered by Pligg” appeared for quite a few days and it raised a red flag (who searches for that?). Searching for very specific terminology always indicates to me that someone (usually a hacker) is looking to exploit some existing vulnerability. If you use open source software, review your installation instructions carefully and consider changing file names which reflect the title of the software itself.

SourceForge.net cites over fifty-four thousand downloads of the software, but I expect that there are quite a few more as you can download versions directly from Pligg.com.

Technorati Tags: pligg, vulnerability, hacking, cms, digg, digg clone

Powered by ScribeFire.