|
Title: [Pre Alpha] PHPCoin Post by: BCEmporium on July 14, 2011, 12:26:06 PM I'm starting a new project to go GPL OpenSource, I named it PHPCoin.
Here's the draft idea: Basically it is a PHP frontend to bitcoind, which can be used for the local user or in a multiuser (mybitcoin-like) environment, operating as a bitcoin concentrator. The modular system will allow also to attach modules as MtGox/TradeHill/etc analyzers. The cron system will allow features as recurring payments or coin forwarding. Allows creation of multiple accounts for the same user. Say: Account 1 - regular account, Account 2 - savings account... and so on. Each account will have different bitcoin addresses. Bitcoin transactions are all moved to a central account, the movements and balance are recorded and managed by MySQL. So far I'm finishing the login and register functions, but need a designer's help. If you interested, PM me. As password security is the subject of the moment, due that MtGox thing, here's my system's function for it: Code: <?php Pre-Alpha can be downloaded from: http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip Title: Re: [Pre Announcement] PHPCoin Post by: RJau on July 14, 2011, 01:45:46 PM Is there a 1 - 1 ratio of gambling apps to developers in the BtC Community? hehe
Are you just looking for a designer? or other PHP programmers? Im looking for projects :) What is the eventual goal/vision of this project? Sounds interesting. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 14, 2011, 01:50:32 PM By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin. Title: Re: [Pre Announcement] PHPCoin Post by: idev on July 14, 2011, 08:05:27 PM By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent. The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin. Been looking for something like this for quite a while, please let us know when its up. Cheers Title: Re: [Pre Announcement] PHPCoin Post by: MagicalTux on July 15, 2011, 12:01:40 AM As password security is the subject of the moment, due that MtGox thing, here's my system's function for it: Code: <?php Your method is not good enough (not mentioning it seems you are not escaping properly variables when passing them to mysql). I could do 50000 iterations of ripemd160 in 94.16ms without any optimization. I'd suggest you at least add some iterations to make bruteforcing harder. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 01:01:24 AM Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: Code: <?php Title: Re: [Pre Announcement] PHPCoin Post by: smoothie on July 15, 2011, 07:27:06 AM Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: Code: <?php Got any screen shots? Title: Re: [Pre Announcement] PHPCoin Post by: SgtSpike on July 15, 2011, 07:32:05 AM How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 11:24:28 AM How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is... What is bitcoin-php? The only thing I know by such name is a class. @smoothie Not yet. Will put as soon as the basic functions are done. I'm around editing own account at the moment. Title: Re: [Pre Announcement] PHPCoin Post by: zamgo on July 15, 2011, 11:46:30 AM I'm starting a new project to go GPL OpenSource, I named it PHPCoin. Great! The PHP/bitcoin world needs more open source projects. By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent. With all due respect: Good intentions are nice, but released code is what makes an open source project alive. Release the code early and often. Don't worry about ugly code, don't worry about bugs. Those things can and will be fixed down the road. Nothing will get messed up. DO worry about your project turning into vaporware if you don't release code soon. If you're interested in browsing some bitcoin-related PHP open source projects: https://github.com/mikegogulski/bitcoin-php - Bitcoin library for PHP - a basic PHP class for interacting with bitcoind - Hasn't been updated for a while, but still usable https://github.com/zamgo/bitcoin-webskin - an open source PHP web interface to bitcoind - my own project ;) and a lot more out there on github and other places... Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 02:37:56 PM While start to draft the most important part of the site, the CRON, here're two screens of it so far:
http://www.bityacht.com/phpcoin/phpcoin_1.jpg http://www.bityacht.com/phpcoin/phpcoin_2.jpg Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM. Title: Re: [Pre Announcement] PHPCoin Post by: Raoul Duke on July 15, 2011, 03:17:44 PM Your method is not good enough... But your method was.. ::) Too bad people only learn after the trouble... :P Title: Re: [Pre Announcement] PHPCoin Post by: naturallaw on July 15, 2011, 04:04:07 PM Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual (http://php.net/pdo.prepare) for more info. Title: Re: [Pre Announcement] PHPCoin Post by: SgtSpike on July 15, 2011, 04:07:31 PM Well, this could be extremely useful for a project I have coming up! Here's to hoping you get it finished up soon.
Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 04:20:55 PM Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual (http://php.net/pdo.prepare) for more info. PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. ;) As I'm off now for a while, here's the incomplete code of the cron (it should run like each 5 minutes by php-cgi or so), hope this already gives you a better clue of what I'm working on: Code: <?php Title: Re: [Pre Announcement] PHPCoin Post by: smoothie on July 15, 2011, 05:46:19 PM Will it be usable to mine namecoins too? :o
Title: Re: [Pre Announcement] PHPCoin Post by: brandon@sourcewerks on July 15, 2011, 07:48:05 PM This salt method of storing passwords would still leave you open to the same type attack MtGox had. If the attack is based on getting a copy of the database, every account in database is at risk with current code.
Best option is two-factor auth. (ubikey, RSA key) Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 08:13:21 PM @btcash,
The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want. @smoothie This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also. Title: Re: [Pre Announcement] PHPCoin Post by: naturallaw on July 15, 2011, 10:58:30 PM PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. ;) PHP 5.1.0 and newer comes with PDO already. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 15, 2011, 11:53:05 PM @AnnihilaT I keep saying the most important feature of password security is you to *know* your db was compromised, encryption will only make you gain some time to do something about... but they don't believe it.
Now... while waiting another deposit to get 6 blocks, to test deposit forwarding, here're some screens of what has been made so far: http://www.bityacht.com/phpcoin/phpcoin_3.jpg http://www.bityacht.com/phpcoin/phpcoin_4.jpg http://www.bityacht.com/phpcoin/phpcoin_5.jpg http://www.bityacht.com/phpcoin/phpcoin_7.jpg Database "config" table look: http://www.bityacht.com/phpcoin/phpcoin_6.jpg Roadmap to PreAlpha: Withdraw functions - once done I'll pre-release it by my website. Alpha will be at SourceForge or GitHUB Title: Re: [Pre Announcement] PHPCoin Post by: SgtSpike on July 16, 2011, 03:55:49 AM I think the best way for passwords to remain secure is to use hashing methods that are computationally intense with respect to brute-forcing, but computationally inexpensive for a server to process once for a user to log in. If you create a sequence of hashes that takes the server 0.5 seconds to compute, then it would be nigh impossible for any single person to crack even one user's password, unless we're talking about using hardware in the far future.
Title: Re: [Pre Announcement] PHPCoin Post by: Chick on July 16, 2011, 08:38:48 AM Just use pbkdf2 with 10000-20000 iterations. Use sha512 as the hash algorithm. Here (http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard) is a good example of implementation. Its a pretty damn good way to store your passwords.
Store output binary key lengths (below 255 char) in a tinyblob field. Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 16, 2011, 09:00:15 AM Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: Code: <?php Is there a reason you're going this way and inserting variables directly into queries (which always open up the possibility of SQL injections) instead of using mysqli prepared statements which includes general string/number type checking as well? Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 16, 2011, 11:39:56 AM @BCEmporium: Sorry for the off-topic, but do you need to have VPN to use cron in PHP or will most any web server allow it? I have always thought of it as a potential resource hogging liability for web servers and that's why I didn't expect anyone to provide it, but if it's there, this give me a few ideas for how I can make my site better. This is designed to: Your own box Your own Virtual Machine A VPS/VDS/Dedicated Server As you need to install software, such as bitcoind, this is not suitable for shared hosting. Now a doubt Anyone knows how to make bitcoind check whether a transfer fee will be paid before it does anything? I can't figure that one out, so I'll code this way: Total available amount = balance - 0.0005 Check the transaction after, if a fee was paid remove the 0.0005 from the user's account, if not leave it there. Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 16, 2011, 03:16:50 PM Quote asked and answered.... read up! I did but found no good reason for it, that's why I asked. It certainly isn't related to PECL or PDO (which I don't use since like you I also think it's a mess). While you have the function that you called, but it's a potential weakness since variables may come from different parts of the code or be altered along the way. The value may had been "safe" after your function call but may no longer be just before sql insertion. While you're the only one working on it, your due diligence may ensure something like that doesn't happen. But once released, this could end up being a trap for less careful coders who are modifying unfamiliar code. Hence I believe it's better to ensure that cleansing is done just before insertion. Along with the added strength of numeric typing using bind_params, ensures that even if somehow code slips past, it would still get rejected for not being a number where one is expected. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 16, 2011, 04:35:46 PM Xephan,
That's senseless! You're implying I may "inject myself" along the code. The vars must be clean up on entry, as they will go to mysql more than once. Eg. upon register: query 1: select * from users where user like '$user' to check whether there's already one account registered with that username later select * from users where email like '$email' to ensure unique emails... etc There're no more changes in the var that may get it injected along the way until the inserts. Passwords doesn't require cleaning up because they always hit the db hashed. Now... for the question I put above. Any answer? BTW, I bough a VPS with cinfu.com and will put the project and demo there. Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 16, 2011, 06:04:02 PM Xephan, That's senseless! You're implying I may "inject myself" along the code. The vars must be clean up on entry, as they will go to mysql more than once. Like I said, while you would likely take note of these because of familiarity with the code, somebody else subsequently might make the mistake. Unless I'm mistaken about this going to be an opensource project? So the safest approach is always to assume that the data is unclean and cleanse it immediately before sending it to the db. Of course you could consider me being paranoid, as long as you don't mind the possibility of a "I told you so" in the future ;) Quote Eg. upon register: query 1: select * from users where user like '$user' to check whether there's already one account registered with that username later select * from users where email like '$email' to ensure unique emails... etc As a general rule, I'd recommend always putting a "limit 1" behind such queries. So that even if somebody manages somehow to get passed the variable cleansing, the operation he might be attempting may in this way possibly be limited to one, or become an invalid query and so get stopped. Again, you may consider me paranoid :D Quote Now... for the question I put above. Any answer? Unfortunately not, I haven't looked into the code yet. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 16, 2011, 07:00:41 PM All your points are needless actually.
If some one get to be dumb enough to do something like: $user .= "'; DROP users"; then such person isn't a coder (is an attacker at best) and therefore has no reason to touch the code at all. Title: Re: [Pre Announcement] PHPCoin Post by: Chick on July 16, 2011, 07:02:30 PM Are you serious? You guys are still using direct query statements? That's wayyyyy 2008.
If you just want to get the mess of sanitizing every fucking thing, prepared statements are the way to go. Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 16, 2011, 07:14:16 PM All your points are needless actually. If some one get to be dumb enough to do something like: $user .= "'; DROP users"; then such person isn't a coder (is an attacker at best) and therefore has no reason to touch the code at all. That is what an attacker might want to do. However, a naive coder (and sadly I've seen quite a few), may not realize you are doing data sanitization/cleansing in an earlier part. He goes and make the mistake of looking at code only in the areas he thinks is needed. Such as in adding some new data field to his customized version, say some kind of numeric flag or details during registration simply by inserting the relevant db fields and $variable into the query string and populating it from $_POST. Some attacker seeing a new thing on this site decides to just test it out for fun and there it goes. While you might think it's unlikely, or that the noob deserves it, it's part of the responsibility of an open source coder to ensure his code is robust to begin with, especially if more than one person immediately flag it as a potential problem. :) Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 16, 2011, 07:16:19 PM Are you serious? You guys are still using direct query statements? That's wayyyyy 2008. If you just want to get the mess of sanitizing every fucking thing, prepared statements are the way to go. not "guys" just "guy", the rest of us are just trying to tell him the same thing: that it's better to go prepared statements :D Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 16, 2011, 08:03:25 PM Are you serious? You guys are still using direct query statements? That's wayyyyy 2008. If you just want to get the mess of sanitizing every fucking thing, prepared statements are the way to go. not "guys" just "guy", the rest of us are just trying to tell him the same thing: that it's better to go prepared statements :D And suddenly all became affected by security paranoia... Actually for someone do that, he needs to temper the code; means whoever download it download it tempered, and unless can check it is pretty much f***ed anyway no matter what I do or don't. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 17, 2011, 05:38:28 AM Paranoia isn't "common sense".
MtGox wasn't hacked, wasn't injected... simply put a db dump in the wrong hands. Do not try to circumvent "human errors" with "ultra-paranoia security level" on informatics, computers can't do anything about human errors anyway. Other than that it was supposed to be "common sense" that if you don't come to realize your db was compromised in the first place, it doesn't quite matter whatever you choose to encrypt whatsoever. M'Tux hadn't realize what happened, because all of this "sudden security experts" came out from MtGox's attack, he hadn't realize his db was compromised, so whoever was behind the attacks would have all the time in the World to do what he wants. To the "best", he would be slow down, nothing else. For the "tips" received so far; there's nothing to gain and it generates inconsistent code to follow those sort of "advices". Will "clean up" what? Every time it goes to db already within the code?! It would output: $user = "my'user"; first (AND ONLY - that's the way to do it) clean up: $user = "my\'user"; select...where user like '$user'... Now... supposing I would go for a second clean up, as the data will hit the db again: $user = "my\\\'user"; see anything wrong here? the potential attack surface is inside the code. If the code is compromised (means you download it from somewhere you shouldn't anyway) it can be compromised on several ways without the need for "SQLi". Why bother if the attacker can simply mysql_query("whatever he wants here");?! Today I didn't code, was around that Cinfu VPS (tip: don't go to vps 1, 2+). BOTTOM LINE: Help needed A way to figure out network fees before the transaction Graphics/CSS Help NOT needed (or welcome) Your paranoia level - yeah, it's open source, you can put all your paranoia into it as soon as you get the code. Title: Re: [Pre Announcement] PHPCoin Post by: SgtSpike on July 17, 2011, 05:57:48 AM Am I the only one here that thinks OP is missing the entire point? That it has nothing to do with open source or what he is writing, that the people using his code (including himself) are the ones open to attack through malicious strings from malicious people, solely due to his lack of proper sanitizing in HIS own code? Am I taking crazy pills? Why is he missing the point? He's properly sanitized his code. The only way it could potentially be de-sanitized is if an idiot coder added some new variables that weren't sanitized. While I can see Xephan's point regarding sanitizing the code via prepared statements to protect against people downloading his code and modifying it, I won't hold it against BCEmporium for not implementing it. As long as you're not a complete moron coder, you'll be sure to sanitize the inputs, so it doesn't matter anyway. And if someone really does want to protect against the moron coders out there, they can feel free to change the code once it is open sourced.BCE - keep on coding the project, and forget the naysayers. They can modify it how they like - you just build it how you like. I appreciate that you've tackled such a project and plan to release it open source. ;) Title: Re: [Pre Announcement] PHPCoin Post by: Xephan on July 17, 2011, 06:24:59 AM Here's what I thought this was about: 1) Op wrote some code 2) His code could potentially allow SQL injection 3) Someone downloads his code and installs it into their site/system 4) A third party accesses that system and uses SQL injection 5) The person who downloaded the code has now suffered an inject attack because the code was insecure. 2. Currently as it is, the snippets as it is, does clean the input and should in theory prevent SQL injection. 3. Only if the somebody modifies the code in a naive way, which unfortunately isn't that uncommon. 4. Dependent on #3 What we're suggesting that is that he adopts a convention that will be less prone to such potential issues. In a closed project where you can be sure of the skill/quality of the involved developers, it's OK to ignore this. However, as an open source project, it's reasonable to expect that somebody else would eventually use and modify it. The use of prepared statements (and why it came about) has been strongly recommended for years. But ultimately, it is his project, so like I say, he can just disregard our suggestion as pure paranoia :) Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on July 17, 2011, 04:02:32 PM Pre-Alpha was released.
http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip :) EDIT: Sry for the first to download, I forgot to include the sql dump. If your pack is missing a phpcoin.sql file, just download again. Title: Re: [Pre Announcement] PHPCoin Post by: BCEmporium on July 30, 2011, 08:23:14 PM Then I guess I was in fact reading this wrong. Here's what I thought this was about: 1) Op wrote some code 2) His code could potentially allow SQL injection 3) Someone downloads his code and installs it into their site/system 4) A third party accesses that system and uses SQL injection 5) The person who downloaded the code has now suffered an inject attack because the code was insecure. Am I completely lost or what? @OP: Definitely not against you, just completely confused as to what's going on here. Replying to this: 1) yes... 2) NO IT DOES NOT 3) yes... 4) NOPE, again 5) NOPE also What went on here actually: After that MtGox crap everybody suddenly become a so called "security expert", except that less than 0,00001% of the "opinion givers" are in fact any of such. So they jump in based "on what they read on forums" or other ill informed/hard to interpret source and try to play "the expert"... coming out with such a ridiculous attack surface as "Inside the code" (means changing the code itself - if someone changes the code, he doesn't need to inject anything, as that one can do whatever he wants on whatever project he got people to download his modified code). For the project however; I'm done with it... anybody can continue if want. Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on July 30, 2011, 08:52:49 PM Is it working? Or close to working?
Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on July 30, 2011, 10:02:45 PM Working... the only thing I was up to do before release the beta was to implement schedule and recurring payouts and admin accounts.
I may re-pick this project later on. Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on July 30, 2011, 10:04:22 PM Working... the only thing I was up to do before release the beta was to implement schedule and recurring payouts and admin accounts. Awww, I am sad you decided to drop it. I appreciate the work - I'm going to be using the package as a starting point for one of the projects I am working on!I may re-pick this project later on. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 03:42:10 AM OK, I'll repick this project, but before, here's a preview of it working:
http://88.198.142.82/index.php or https://88.198.142.82/index.php (self-signed cert) Now, please note [IMPORTANT]: - I rented that cinfu VPS FOR TESTING ONLY, it's rented for ONE MONTH until 5th Sep Do not store there large btc amounts! (You'd been warned!) For those with theories about SQLi and alike: HERE'S YOUR CHANCE! Grab it and prove it! Feel free to do it. ;) There're no changes between this install and what I put available for download, other than the config files, obviously. Title: Re: [Pre Alpha] PHPCoin Post by: bahatassafus on August 06, 2011, 04:26:24 AM Looks great. How do you plan to continue?
Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on August 06, 2011, 04:56:11 AM I downloaded and installed the pre-alpha on a VPS. I can't get it to communicate with my bitcoind install (throws an error regarding that after I log in to the account I registered), but another script I wrote based on bitcoin-php worked just fine. Any ideas?
Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 12:10:01 PM Looks great. How do you plan to continue? The following features are still missing for it to be released as beta: 1) Schedule and recurring payments 2) Admin menu 3) Account creation 4) Address book Then just need to create some docking modules, like: SCI, MtGox/TH, etc... The idea was to provide a GUI for users installing Bitcoin in a minimal Linux VM. Like: you install a Debian 6 in a VM, no X, install this script to manage the wallet in that Virtual Machine. Obviously it can also operate as an e-Wallet, that's why I put that in the VPS Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 12:13:44 PM I downloaded and installed the pre-alpha on a VPS. I can't get it to communicate with my bitcoind install (throws an error regarding that after I log in to the account I registered), but another script I wrote based on bitcoin-php worked just fine. Any ideas? What error is that? Did you set up rightly the $btcuser and $btcpass to match your rpcuser/rpcpass? Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 06, 2011, 05:01:58 PM You should modify your files to allow a different IP and Port to RCP (I've already made the changes for me to test).
Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 05:31:36 PM You should modify your files to allow a different IP and Port to RCP (I've already made the changes for me to test). Will start the VM (where I develop it) and do some more work, along with that change. Thank you for the feedback. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 06, 2011, 05:40:16 PM I'll be more than happy to provide more feedback once I figure out how to get bitcoind working.
https://bitcointalk.org/index.php?topic=34902 Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 06, 2011, 07:29:48 PM Would it be possible to add list of address for each of the accounts, and maybe a list of transactions for each account (although I guess blockexporer is pretty much the same thing)?
Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 07:34:30 PM Would it be possible to add list of address for each of the accounts, and maybe a list of transactions for each account (although I guess blockexporer is pretty much the same thing)? Sry, went to sleep a bit. On your issue, the idea is as follow: on that drop down on main page you will be able to switch the current account (Account you're viewing), so the address shown and movements will be of the currently foregrounded account. Currently (before went to sleep that is) I'm doing the form for people to add more accounts, this directive in the config table: user_l_accounts sets the nr. of accounts as user can have under the same login. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 06, 2011, 07:55:05 PM Ah, well I'm making slight changes to the connection count.
http://gyazo.com/99bd386a68c0f03d08c6ac19841a2a0a.png If you want, I can give you what I've changed so far. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 06, 2011, 08:18:42 PM Not quite, if I want it that way I would do it in such way in the first place.
The full bitcoind info is meant to go on the admin panel, not in the user frontend. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 06, 2011, 08:24:15 PM Ah, I didn't know you were going to do an admin panel.
[Edit]: Just looked up a few post and saw the stuff not in the beta. Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on August 06, 2011, 11:30:02 PM I downloaded and installed the pre-alpha on a VPS. I can't get it to communicate with my bitcoind install (throws an error regarding that after I log in to the account I registered), but another script I wrote based on bitcoin-php worked just fine. Any ideas? What error is that? Did you set up rightly the $btcuser and $btcpass to match your rpcuser/rpcpass? Code: Bitcoin Network Blocks: Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 07, 2011, 10:56:45 AM Not what seams, the user or pass are wrong.
If any have special chars like $ or " or ' try to change it in the config like: $btcpass = "ajhgs$sjh"; to $btcpass = 'ajhgs$sjh'; if has ' escape it, like $btcpass = 'kljah\'jkjd'; Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on August 08, 2011, 04:20:15 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well.
Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on August 08, 2011, 04:23:13 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well. Maybe firewall, or port forwarding? Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 08, 2011, 04:24:28 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well. Maybe firewall, or port forwarding? Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on August 08, 2011, 04:27:46 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well. Maybe firewall, or port forwarding? SgtSpike never said anything about his server architecture, so maybe you are jumping into conclusions. All he said was that he installed phpcoin in a VPS, he never said that his bitcoind was on the same machine. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 08, 2011, 04:32:24 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well. Maybe firewall, or port forwarding? SgtSpike never said anything about his server architecture, so maybe you are jumping into conclusions. All he said was that he installed phpcoin in a VPS, he never said that his bitcoind was on the same machine. Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on August 08, 2011, 04:47:18 PM It's all alphanumeric (for now). I copy/pasted it directly from the other script I have that works just fine. ??? I'll keep playing around with it and see if I can figure out what the problem is. Obviously, it's not the code, or other people would be having trouble as well. Maybe firewall, or port forwarding? SgtSpike never said anything about his server architecture, so maybe you are jumping into conclusions. All he said was that he installed phpcoin in a VPS, he never said that his bitcoind was on the same machine. Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on August 08, 2011, 05:04:09 PM My bad. Bitcoind is running on the same VPS, so it should connect using localhost. So, it was me who jumped into conclusions... My bad. ;) Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 08, 2011, 05:28:24 PM Request Feature: Have a list of all Addresses associated with an account, rather than just generating a new one.
Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 10, 2011, 06:22:35 AM Do you have any more updates on this project?
I'm eager to see what you've done so far ;) Mind posting the project on https://github.com with updates? I've got some simple hosting for this. Made some changes for me (until admin panel is working). http://phpcoin.zombietoday.com Will get a dedicated domain (with SSL) once it gets a little further in development. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 10, 2011, 02:10:03 PM There're already some changes in my version, however I'm setting up a new server before go on holidays (from everyday job), so I must have some more available time pretty soon.
Title: Re: [Pre Alpha] PHPCoin Post by: hamburger on August 11, 2011, 06:24:04 PM Hi,
Neat script, could even run it on my desktop using EasyPHP and the standard Bitcoin client. Just two questions, how does it handle payments between two account holders and how do you set up an admin or main account - I see there is provision made for it in the database [is_admin] Thank you, Hamburger Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 11, 2011, 06:26:51 PM Hi, Admin isn't coded yet.Neat script, could even run it on my desktop using EasyPHP and the standard Bitcoin client. Just two questions, how does it handle payments between two account holders and how do you set up an admin or main account - I see there is provision made for it in the database [is_admin] Thank you, Hamburger Title: Re: [Pre Alpha] PHPCoin Post by: Mushroomized on August 11, 2011, 08:12:04 PM Interesting project I will have to watch this!
Feel free to use this animated gif I made into the design in any way :D https://i.imgur.com/VqXVm.gif Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 12, 2011, 06:24:51 PM I've got a domain + SSL...
https://www.phpco.in/index.php Will keep it updated with BCEmporium's updates. :D Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on August 12, 2011, 06:26:47 PM I've got a domain + SSL... https://www.phpco.in/index.php Will keep it updated with BCEmporium's updates. :D Every time i read Quote The sight may be reset at any time for upgrades. I get chills... Is BCEmporium going to reset his eyes? lol :P Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 12, 2011, 06:31:04 PM I've got a domain + SSL... https://www.phpco.in/index.php Will keep it updated with BCEmporium's updates. :D Every time i read Quote The sight may be reset at any time for upgrades. I get chills... Is BCEmporium going to reset his eyes? lol :P It was 3am when I wrote that note. Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on August 12, 2011, 07:08:48 PM I've got a domain + SSL... https://www.phpco.in/index.php Will keep it updated with BCEmporium's updates. :D Every time i read Quote The sight may be reset at any time for upgrades. I get chills... Is BCEmporium going to reset his eyes? lol :P It was 3am when I wrote that note. So it's your eyes who were needing a reset ;) I thought it was BCEmporium who had wrote that. Title: Re: [Pre Alpha] PHPCoin Post by: naturallaw on August 12, 2011, 07:41:45 PM Any chance of getting this project up on GitHub for better collaboration? :)
Title: Re: [Pre Alpha] PHPCoin Post by: BCwinning on August 12, 2011, 07:46:28 PM hilarious mtgox is now an expert on security. oh the irony
Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 12, 2011, 07:52:11 PM hilarious mtgox is now an expert on security. oh the irony I'm confused??Title: Re: [Pre Announcement] PHPCoin Post by: BCwinning on August 12, 2011, 07:53:55 PM As password security is the subject of the moment, due that MtGox thing, here's my system's function for it: Code: <?php Your method is not good enough (not mentioning it seems you are not escaping properly variables when passing them to mysql). I could do 50000 iterations of ripemd160 in 94.16ms without any optimization. I'd suggest you at least add some iterations to make bruteforcing harder. hilarious mtgox is now an expert on security. oh the irony I'm confused??Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 12, 2011, 08:02:08 PM Still would be cool to have the project source public.
I'm thinking about adding a About US page which will contain your BTC Donation Address as well as Mine (as the host). Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 13, 2011, 03:07:33 PM hilarious mtgox is now an expert on security. oh the irony How is that hilarious when making the mistake first is how many people learn their lessons that get passed on to others? :D Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 13, 2011, 05:07:03 PM How is that hilarious when making the mistake first is how many people learn their lessons that get passed on to others? :D I still believe M'Tux took the wrong lessons there. He wasn't hacked due to strength or lack of strength of his password hashing, he was hacked by leting his database fell in the wrong hands. Starting from here, hashing algorithms doesn't "save you" of anything and enforce "strong passwords" will make your customers unhappy. Nothing, PHP is inheritelly "Open Source", unless I obfuscate that with Zend or Roadsend, as I didn't the source is openly available. I'd delay those two days due to Linux, I'm giving it a try at my desktop (part 1001st) and started with the wrong foot; OpenSuSE... well... I've a nForce chipset, isn't easy for starters, but OpenSuSE always manage to screw graphics - had the same issue with SuSE and Via C3 some 5 years ago. That mean format and reformat to end up with Ubuntu and today is party time with my old army mates. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 13, 2011, 05:12:16 PM How is that hilarious when making the mistake first is how many people learn their lessons that get passed on to others? :D I still believe M'Tux took the wrong lessons there. He wasn't hacked due to strength or lack of strength of his password hashing, he was hacked by leting his database fell in the wrong hands. Starting from here, hashing algorithms doesn't "save you" of anything and enforce "strong passwords" will make your customers unhappy. Nothing, PHP is inheritelly "Open Source", unless I obfuscate that with Zend or Roadsend, as I didn't the source is openly available. I'd delay those two days due to Linux, I'm giving it a try at my desktop (part 1001st) and started with the wrong foot; OpenSuSE... well... I've a nForce chipset, isn't easy for starters, but OpenSuSE always manage to screw graphics - had the same issue with SuSE and Via C3 some 5 years ago. That mean format and reformat to end up with Ubuntu and today is party time with my old army mates. Anyways, I was meaning an updated version of the source. :P I'm going on vacation, and I'll only have 4GB of bandwidth for 5 days. Meaning, I'll be Internet Suffocation and that's when I get many of my projects done. I've got one project that allows someone to resell our gameservers (I work for a GSP). I can assume that anyone who'd like to...could buy a reseller from us and re-sell under Bitcoins. ;) Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 13, 2011, 06:05:18 PM How is that hilarious when making the mistake first is how many people learn their lessons that get passed on to others? :D I still believe M'Tux took the wrong lessons there. He wasn't hacked due to strength or lack of strength of his password hashing, he was hacked by leting his database fell in the wrong hands. Starting from here, hashing algorithms doesn't "save you" of anything and enforce "strong passwords" will make your customers unhappy. Proper security assumes that the server WILL be compromised and databases stolen. Password hashing is precisely intended to minimize the damage from such an event. So while letting his database fall into the wrong hand was one of his many mistakes definitely, it wasn't the key. The most damning was using plain unsalted un-iterated md5 to hash his passwords. That meant one single run of md5 would be sufficient to brute force the entire database. For those who already have existing rainbow tables, it will take seconds to crack weak passwords. For those who don't, it takes only minutes to few hours to generate the rainbow tables for weak passwords (up to say 8~9 characters) making it very profitable to do so. If he had employed commonly available password encryption libraries using better hash algorithm like SHA256 and blowfish, with password stretching to strengthen weak passwords, it would had made the attack unworthwhile because of the cost of even cracking one user's password. The real irony here is that this computational cost is what protects the bitcoin blockchain yet the largest bitcoin exchange was not making use of it. While the specific lesson from the mtgox fiasco was related to weak hash algorithm, his sensitivity towards all forms of possible compromise should be heightened due to that. So I don't think it's fair to say he learnt the wrong lessons but rather he likely learnt more lessons than just the one he got hit with. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 14, 2011, 09:17:25 AM It's really hard for me to sit around waiting for updates...
http://api.phpco.in/get/ I've added AJAX (auto-refresh) to the blockcount & connections ( when logged in @ https://www.phpco.in/ ). [Edit]: Added the "Add Account." Currently, there is no Deleted accounts. You can always modify accounts. :D http://gyazo.com/453c0df1d015273e72a4907c6de58c89.png I've yet to add a setting for the "main" account to show up. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 12:24:57 PM So while letting his database fall into the wrong hand was one of his many mistakes definitely, it wasn't the key. The most damning was using plain unsalted un-iterated md5 to hash his passwords. That meant one single run of md5 would be sufficient to brute force the entire database. For those who already have existing rainbow tables, it will take seconds to crack weak passwords. For those who don't, it takes only minutes to few hours to generate the rainbow tables for weak passwords (up to say 8~9 characters) making it very profitable to do so. Actually my account's password there was hashed with md5 salted crypt algorithm ($3$salt$hash)... which makes me believe also, someone had that db for quite a while. The added difficulty would represent one thing; the attack may not happen when it happened, but somewhere in the future... thus the attack would come to place either way. Going to fire the VM now and will work on it a while. Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 14, 2011, 05:10:07 PM Actually my account's password there was hashed with md5 salted crypt algorithm ($3$salt$hash)... They did mention that it was older accounts that were affected. i.e. they realized the security weakness and changed the hash algo/procedure before you sign up or last changed your password. That was one of the other mistakes, having discovered this weakness and implemented a better system, they failed to notify potentially vulnerable users to update their password to force a new hash. In some projects, once a breach appears probable, they notify and force everybody to change their passwords to be safe. An organisation dealing with money should be even more paranoid :D Quote which makes me believe also, someone had that db for quite a while. The added difficulty would represent one thing; the attack may not happen when it happened, but somewhere in the future... thus the attack would come to place either way. Possible but based on available information, the somebody may only had the mtgox data for a few days prior to the scam. In any case, it is ALSO assumed that given sufficient time, any hash can be broken due to cryptographic advances or computational advances. Which is why there is the recommendation for users to change their passwords at least once every now and then. Once a year should be relatively safe since most hash algo are chosen to take at least years to break and an annual change is not particularly inconvenient for users as well. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 05:18:47 PM Actually you'd people starting to complaint out of accounts being ripped more than 2 weeks before the attack. And yes, cryptography on hashing, has improved A LOT since Bitcoin came around. The same methods to "mine more coins", as GPU mining, are the ones used now to reverse hashes. Whereas MD5 would sound safe under 1~2 Ghz CPU hashing, they're now "pieces of cake" for most GPU based crackers.
And that my pass wasn't of "they see THEN they changed", it was actually as it was in that db dump file. Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 14, 2011, 05:29:35 PM Actually you'd people starting to complaint out of accounts being ripped more than 2 weeks before the attack. And yes, cryptography on hashing, has improved A LOT since Bitcoin came around. The same methods to "mine more coins", as GPU mining, are the ones used now to reverse hashes. Whereas MD5 would sound safe under 1~2 Ghz CPU hashing, they're now "pieces of cake" for most GPU based crackers. md5 was considered broken before GPU cracking became commonly available. So increase in hash speed due to GPU cracking is not an excuse for mtgox using a broken hash in the first place. Quote And that my pass wasn't of "they see THEN they changed", it was actually as it was in that db dump file. That's pretty much what I said so I'm not sure what you thought I said or maybe I am misunderstanding what you are saying now :D To rephrase it, mtgox said only older accounts were still hashed with the plain md5 hashes. So newer accounts or those who changed their passwords after mtgox updated their code, would have the salted hash like yours. The db dump file contained both the older and newer hashes. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 05:59:07 PM md5 was considered broken This is a wrong statement, MD5 wasn't ever broken nor is. The only way it would be considered as so if you or someone can actually reverse it and that, so far, is impossible. Being open to Brutte-forcing doesn't make anything "broken" as no known algorithm is resistant to it. All you can make is it slower to bf, not prevent it. MD5 is just "fastest to brutte-forced than others", along with those "rainbow tables" (which is just a database with pre-computed hashes, btw). About that "old/new", it refers to: old -> Jed time / new -> some time after M'Tux bough that, not as "old before the attack/new after", as I believe you were assuming. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 06:54:00 PM The correct term is "Deprecated", not "Broken".
Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 14, 2011, 07:18:55 PM Arg, I forgot to add the command for adding a new account in the bitcoind environment when making a new account.
So, what's your updates looking like? :) Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 07:40:11 PM Arg, I forgot to add the command for adding a new account in the bitcoind environment when making a new account. So, what's your updates looking like? :) Sorry... damn! Changing OS is a pain ;D Tried with VirtualBox to fire my Debian VM, but it was eating 100% CPU, means this was slower than a turtle with a broken leg. Then software; 1st try: Geany, now trying Aptana Studio. Coding the Admin block now. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 14, 2011, 07:48:25 PM Arg, I forgot to add the command for adding a new account in the bitcoind environment when making a new account. So, what's your updates looking like? :) Sorry... damn! Changing OS is a pain ;D Tried with VirtualBox to fire my Debian VM, but it was eating 100% CPU, means this was slower than a turtle with a broken leg. Then software; 1st try: Geany, now trying Aptana Studio. Coding the Admin block now. Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 14, 2011, 08:51:00 PM md5 was considered broken This is a wrong statement, MD5 wasn't ever broken nor is. The only way it would be considered as so if you or someone can actually reverse it and that, so far, is impossible. Being open to Brutte-forcing doesn't make anything "broken" as no known algorithm is resistant to it. All you can make is it slower to bf, not prevent it. MD5 is just "fastest to brutte-forced than others", along with those "rainbow tables" (which is just a database with pre-computed hashes, btw). Sorry but cryptography defines broken very strictly. A hash function is considered broken if it is possible to generate a collision in less time than brute force. It might still be hard or difficult for the average person but since it's possible, it is defined as broken. If it's possible to solve the hash function easily (by cryptographic standards) then it's considered completely broken. For MD5, it has been demonstrated by researchers in 2004 how to create different files with the same md5 hash. In 2008, a successful attack was made on SSL and in 2009, an attack was published that is allegedly doable within minutes on a normal computer. MD5 is considered completely broken cryptographically. Quote About that "old/new", it refers to: old -> Jed time / new -> some time after M'Tux bough that, not as "old before the attack/new after", as I believe you were assuming. You believed wrongly again. Let me put it into a timeline so it's clear what I was referring to 1. Original weak hash passwords with plain unsalted md5 2. mtgox realizes it's bad, changes hash to a slightly better but cryptographically just as weak BSD md5crypt 3. you signed up for an account or changed your password so your data in the database along with many others are using the salted md5crypt 4. hacker obtains database 5. easily cracks passwords from #1 and from released files, cracked the newer hashes from #2 too. If #2 was a change to a more secured hash such as SHA256, then #4 would had only practically only affect the old/idle accounts from #1. If mtgox did something between 2 and 4 to notify/force users to change their password, then the loss to #4 would had been further reduced, but only if a more secure hash was used. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 09:43:43 PM Just created a GitHub repo: https://github.com/BCEmporium/PHPCoin
@Xephan; Fair enough, I'm not up to waste time in those sort of discussions. But to the end, if one gets your db, other than a dump: mysql_query("UPDATE users SET `password` = '$mynewHash' WHERE uid = $target_id"); or, moving with money: mysql_query("UPDATE users SET `balance` = 10000000 WHERE uid = $my_id"); Bottom line, "assuming that someone can get the database" isn't security. If someone gets the db is already too late... only solution probably: sudo /etc/init.d/mysql stop && shutdown -hP now Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 14, 2011, 09:46:19 PM Just created a GitHub repo: https://github.com/BCEmporium/PHPCoin Attached to that "theoretical" exploit, would be good to have auto-forwarding on. ;D@Xephan; Fair enough, I'm not up to waste time in those sort of discussions. But to the end, if one gets your db, other than a dump: mysql_query("UPDATE users SET `password` = '$mynewHash' WHERE uid = $target_id"); or, moving with money: mysql_query("UPDATE users SET `balance` = 10000000 WHERE uid = $my_id"); Bottom line, "assuming that someone can get the database" isn't security. If someone gets the db is already too late... only solution probably: sudo /etc/init.d/mysql stop && shutdown -hP now Also, thanks for pushing to github. [Edit]: Just looked at the index.php and noticed something that could be changed. Code: if(!isset($_SESSION['btaccount'])) $_SESSION['btaccount'] = $config['account_prefix']['value'] ."_" . $_SESSION['id'] . "_1"; Instead of _1, have it do _".$accout_id; :) Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 14, 2011, 09:52:06 PM No, that line means:
If no account is selected, then select <account Prefix from config>_<user id>_<first account - which is ALWAYS 1> if you do this, and taken $account_id isn't set, will mean PC_1_<nothing here... empty> Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 14, 2011, 09:53:49 PM No, that line means: Ah, yes...my bad.If no account is selected, then select <account Prefix from config>_<user id>_<first account - which is ALWAYS 1> if you do this, and taken $account_id isn't set, will mean PC_1_<nothing here... empty> Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 15, 2011, 04:20:05 AM Bottom line, "assuming that someone can get the database" isn't security. of course just assuming that isn't security. It's what you do based on the assumption. It does not mean you neglect physical security of the systems, but to make getting hold of it not as profitable as it would otherwise be. Quote If someone gets the db is already too late... only solution probably: sudo /etc/init.d/mysql stop && shutdown -hP now If somebody gets the db, doing a shutdown doesn't help. Depending on how he/she got access, they could very well steal your application code and load it up on their own server to do whatever. Which is why the other consideration is to encrypt/protect other key information in the system and design it in such a way to maximize the cost and reduce the benefit to anybody who gains unauthorized access. The whole point of the game is to make the other person go "Screw it, this isn't worth the trouble!" Title: Re: [Pre Alpha] PHPCoin Post by: Jine on August 15, 2011, 05:31:41 AM Ok, lets state some facts that i found:
1) Entire system is exploitable with XSS. 2) Entire system lacks CSRF protection. 3) Messy structure, mixed frontend/backend could lead to mistakes and issues. 4) Stupid not to filter _ALL_ inputs, not just the ones that does SQL-queries. (It's easier and safer) 6) Never ever trust ANYTHING a user enters. That includes amounts(!) and lengths of all inputs. 6.1) I've seen DDoS attacks with users entering huge amount of data to make the server do 50000 hashes on a string thats a couple of MBs. For fuck sake, cannot SOMEONE learn to develop correctly structured PHP? It's not _THAT_ hard. Implement a MVC structure or base the project on some open source frameword (CI, Symfony, Zend or whatever) This will also take care of 90% of the security you guys are talking about. CI have a neat implementation of prepared statments (that's really easy to use) and Symfony/Zend have similar ORM's. Advices from someone that have actually developed PHP for the past.... many years. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 15, 2011, 05:50:33 AM Ok, lets state some facts that i found: These are easy things to fix.1) Entire system is exploitable with XSS. 2) Entire system lacks CSRF protection. 3) Messy structure, mixed frontend/backend could lead to mistakes and issues. 4) Stupid not to filter _ALL_ inputs, not just the ones that does SQL-queries. (It's easier and safer) 6) Never ever trust ANYTHING a user enters. That includes amounts(!) and lengths of all inputs. 6.1) I've seen DDoS attacks with users entering huge amount of data to make the server do 50000 hashes on a string thats a couple of MBs. For fuck sake, cannot SOMEONE learn to develop correctly structured PHP? It's not _THAT_ hard. Implement a MVC structure or base the project on some open source frameword (CI, Symfony, Zend or whatever) This will also take care of 90% of the security you guys are talking about. CI have a neat implementation of prepared statments (that's really easy to use) and Symfony/Zend have similar ORM's. Advices from someone that have actually developed PHP for the past.... many years. Thanks for pointing them out. I'll be sure my site get's updated with these fixes by tomorrow. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 15, 2011, 11:28:24 AM Ok, lets state some facts that i found: 1) Entire system is exploitable with XSS. 2) Entire system lacks CSRF protection. Name them! What can you do with XSS/CSRF? Log the user out? Quote 6.1) I've seen DDoS attacks with users entering huge amount of data to make the server do 50000 hashes on a string thats a couple of MBs. This actually means: "I don't even know what I'm talking about, but I'm full of shit and will try to impress with my 'security skills'". For fuck sake! STOP casting bullshit you read in "hackers forums". BTW, those "hacker forums" are normally like those guys who finish high school virgins; they make the hardest and most long shot attack look like the easiest thing around, yet they never actually did any, just like those boys who never actually got anyone but will jump on claim to had half of the school girls. Title: Re: [Pre Alpha] PHPCoin Post by: NothinG on August 15, 2011, 12:58:22 PM BTW, those "hacker forums" are normally like those guys who finish high school virgins; they make the hardest and most long shot attack look like the easiest thing around, yet they never actually did any, just like those boys who never actually got anyone but will jump on claim to had half of the school girls. I love how you bring up the "hacker forums" talking about them being high school virgins.https://i.imgur.com/ow6TT.jpg I used to be one of the main PHP coder for our group on hack forums. ;D Hack Forums is not a hacking Forum, is a Social Network for Wannabe Hackers... Gotta Love them though, and respect them for trying to help. The Typical Hacker: -) Had an above average grade in school (didn't do so well in history, excelled in math). -) Over exaggerated number of girlfriends in high-school (probably 2-3 would be the truth, but they end up saying they had 10-20 girls). The Hacker that Manipulates People: -) Did well in Math (Thinks in Logic), had a decent grade in History (still hates it), loves English. -) Exaggerates number of girlfriends by a little-bit but just enough to make you believe them (roughly 5-7). ...there are more, but that's about the only two categories I've been in. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 15, 2011, 01:19:35 PM "Hacking" is actually do the things in an unorthodox way.
But my point was on "claim vs reality", not on how many gf a hacker has or not. I know those forums, it mostly goes around like: - Let's strike xpto.com? - Yeah! Yeah! - They've a XSS/CSRF exploit - Whow!!!! Easy picking! We will screw it! ...after 1.000.000 fails you got the two "hacker kinds": Liar: - I'm in! - Sweet! Help us out. - Oh shit! Just logged out. I'll teach you guys later, need to check the logs. (and wait this to be forgotten) Honest: - You guys up to DDoS it? ;D Title: Re: [Pre Alpha] PHPCoin Post by: Jine on August 15, 2011, 02:38:09 PM I've never actually been a member of a "hacking forum".
I never said any of those was hard to fix, i just told it should be done. Insert a maximum length of 255 chars or something as password as well - and you don't ever have to. BCEmporium: 1) IIRC from reading the source, NothinG don't sanitize any inputs at all - except for avoiding SQL injections. I rest my case. You're stupid if you don't see that as a issue :) Ps. I do work as a security consultant, but that is none of you business :) EDIT: Seriously tho, wtf is up with this forum? Each time i point out a security flaw in a system, i get tons of shit thrown at me. Lets change strategies then, lets PROVE that everything i said is valid and can be exploitable. Forget everything i said, and I'll public a few POC when I feel like it's time to do so :) Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 15, 2011, 04:12:06 PM For fuck sake, cannot SOMEONE learn to develop correctly structured PHP? THIS... I would ask otherwise, can't someone develop something wasting TIME and for FREE, without having some full of shit "security troll" to show around as an unwanted sort of "consultant"? So next time, if you don't want shit thrown at you, don't throw at others. Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 15, 2011, 04:17:22 PM EDIT: Seriously tho, wtf is up with this forum? Each time i point out a security flaw in a system, i get tons of shit thrown at me. I think it's probably a pride thing. Most of us like to think we're good at what we're doing and to admit otherwise, can be difficult when it comes to certain things. I'm paranoid and fortunately don't think I'm a l33t programmer so anytime somebody points out a potential security flaw in my code, I'm definitely going to look at it first. I'd rather add a few more lines of code to plug a potential flaw than to write a few paragraphs to defend my pride and still leave a hole to potentially get screwed later. Admittedly, there are other things where I will find it a lot harder to accept criticism! :D Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 15, 2011, 04:23:50 PM Another thing, before your cast of "security wannabes", shouldn't you read the aim of the project first?
This project is initially designed to be used as frontend for Debian VM's - NOT as a webservice. Webservice will have a few differences in account features, such as captchas to prevent brutte forcing and other pwd security. @Xephan; I accept criticism, I DO NOT ACCEPT, is someone scratching his balls and just showing his face to say things like "for fuck sake you can't code". This ain't about being "infallible" or "too good", it's a matter of RESPECT others' work. Title: Re: [Pre Alpha] PHPCoin Post by: Xephan on August 15, 2011, 04:38:31 PM @Xephan; I accept criticism, I DO NOT ACCEPT, is someone scratching his balls and just showing his face to say things like "for fuck sake you can't code". This ain't about being "infallible" or "too good", it's a matter of RESPECT others' work. I would agree that saying somebody can't code is a bit disrespectful. I hope I've not made any comment to that effect but only to highlight what I feel are potential pitfalls. As I said earlier in this thread, it's your project you can code it anyway you like regardless of what others like me may suggest. But if I did say anything to the effect of "you can't code", I would apologize for it. On another issue, while your objective now is for it to be a private VM frontend, I was all along under the impression from your first post that it was intended to be used for public facing services as well. While you've made the point about certain additional changes to the code for those purposes, I would suggest that it would be more efficient and easier to maintain a single secured code base than two. You can always use options to turn off unneeded security such as captchas for use in an internal environment. This way, you wouldn't have to worry that a flaw in one may be exploited to get to the other. Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on August 15, 2011, 04:44:57 PM That won't be a branch, will be the same development, but because I don't have limitless free time, I'll start by cutting some issues in the private frontend and later input the remaining ideas for this project. The final project must be a single branch, with ability to enable/disable webservice's features, such as SHA1 pwd crypt (bad idea if your VM has just 128 Mb of RAM or less), captchas (senseless to connect to 192.168.x.x), and so on.
Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on September 05, 2011, 07:15:41 AM Question. I have this installed and running on a test server. I sent myself 5 bitcents. It has 57 confirmations now, but when I log in, I see this:
Balance 0.00000000 BTC 0.05000000 BTC with the 0.05 show in small italics. I can't do anything with the coins, because my account balance is 0. What does the little italics mean, and how do those coins make it into the account? Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on September 05, 2011, 08:59:13 AM The italic means "I already can see it, but still hasn't the required confirmations".
Change it from unconfirmed to confirmed (normal will be 0.05 and italic will back to 0.00) it's a job of the cron file. Don't forget to config the abspath on the cron. Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on September 05, 2011, 06:55:59 PM The italic means "I already can see it, but still hasn't the required confirmations". I... didn't know there was a cron to run. That's probably why. :PChange it from unconfirmed to confirmed (normal will be 0.05 and italic will back to 0.00) it's a job of the cron file. Don't forget to config the abspath on the cron. Title: Re: [Pre Alpha] PHPCoin Post by: hamburger on September 05, 2011, 07:05:35 PM Quote I... didn't know there was a cron to run. That's probably why. :P Great question - I also did not know this and was waiting for the change for a week now. ::) Q: Should we uncomment this line (as it is now) in the cron file to use the database specified confirmation; Quote //Checking for new deposits $accounts = $b->listaccounts((int)$config['confirmations']['value']); //$accounts = $b->listaccounts(1); //Test only and do we need to set our Default account for sending to PC_MAIN or could we use any other address available. Q: Any news on the admin section? Thank you, Hamburger Title: Re: [Pre Alpha] PHPCoin Post by: SgtSpike on September 05, 2011, 07:30:04 PM Lol, I don't even have the cron folder. I should probably update to the latest version... :P
Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on September 05, 2011, 07:41:12 PM You can get the latest source from https://github.com/BCEmporium/PHPCoin
The cron folder is phpcoin-cron, you should copy it somewhere outside the webroot and config the abspath to the installation. The main account can be changed on the database still. Title: Re: [Pre Alpha] PHPCoin Post by: hamburger on September 07, 2011, 05:26:38 PM Hi,
Do any of you perhaps know why I would get a Internal Server Error when I create a new account or when I log out? Thank you, Hamburger Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on September 07, 2011, 07:01:41 PM Hi, Do any of you perhaps know why I would get a Internal Server Error when I create a new account or when I log out? Thank you, Hamburger Look in the error.log of your server. The answer must be there. Maybe a misconfiguration, that error is common within miss .htaccess configs Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on October 20, 2013, 12:35:41 AM I thought this project to be dead due to lack of interest, but two weeks ago an user emailed me a mysqli patch to it, meanwhile I forgot my GitHUB pass to put it up there and now someone else connects this project to some deepweb market with its admin saying that I helped him. Checked my contacts made through here and still can't figure where or how.
What a mess! ??? Title: Re: [Pre Alpha] PHPCoin Post by: Raoul Duke on October 20, 2013, 11:33:36 AM I thought this project to be dead due to lack of interest, but two weeks ago an user emailed me a mysqli patch to it, meanwhile I forgot my GitHUB pass to put it up there and now someone else connects this project to some deepweb market with its admin saying that I helped him. Checked my contacts made through here and still can't figure where or how. What a mess! ??? lolwut? lol I think we need more details. Especialy if you want us to help you find out where or how(what?)... Title: Re: [Pre Alpha] PHPCoin Post by: BCEmporium on October 20, 2013, 02:16:14 PM Nvm, there is some people saying I helped on creating a deepweb market or even own or made it, because it's code leaked and the structure is similar to my project here. What would be funny taken I started to make a market for the regular web, bcommerce, but never actually finished it. I also don't remember to help anybody about this project outside this thread but I usually answer to common questions about PHP, could be that.
And about the index/switch structure it's also part of some commercial frameworks, like webassist. I guess I should look on the bright side and get happy that apparently my code styling is strong enough for the deepweb, but sucks to see my name attached to people I wouldn't touch with a 10 feet pole! |
