PUBLIC MARKS with tags pligg & sécurité

I'm very sorry to inform you that the patch I posted the other day created another very serious problem. We have a patch available here and advise you to apply this immediately. If you have not installed the first patch, you don't need to, just install this one. If you did install the first patch, then just replace the login file.

A very serious security vulnerability has just been found in all versions of Pligg, the most popular way to “build your own Digg”. The vulnerability allows a complete site takeover by a malicious hacker - if you are using Pligg, it’s critical that you make use of the fix immediately.

To reinitialize a forgotten password, Pligg follows a classical process. A confirmation code is generated and sent by email to the concerned user mail box. The user has to follow the link containing the confirmation code and if the confirmation code is checked successfully, the password is reinitialized to a pre-defined value.

Pligg Forum members have been notified about it via e-mail this morning. Most Pligg webmasters have’t signed up for the forum :(. All Pligg websites I tried were vulnerable to this exploit. There is no commercial value for me, so don’t worry, administrators have been notified that it’s time to patch.