101
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 19, 2015, 01:14:26 PM
|
I was recently made aware of a CSRF exploit in BitShop which could cause damage if the attack is successful. To prevent it from happening make sure you log out of the admin area when you're finished and be careful not to click any shady links while you're logged in as admin.
Technical details:
The way the exploit works is that the attacker will some how convince the admin to click a link while they are logged in as admin. The link will take the admin to a page on the attackers website. The page will contain some javascript which will submit a hidden form and post data to the BitShop script. Even though the post request is coming from a different domain the admin session will still be resumed because the request came from the web browser of the admin when they visited the attack page.
This is actually one of the attack vectors I didn't know much about up until now because I was never taught about CSRF attacks in my web development classes and I always assumed that it wouldn't be possible to resume a session so easily when the request isn't made locally but apparently I was mistaken. It seems quite ridiculous that it would work that way without any sort of safe guard. Anyway I'll include a patch for the exploit in the next release of BitShop because several files need to be edited.
|
|
|
102
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 19, 2015, 12:19:34 PM
|
After login which an error is displayed with success and that's it. Has it always been doing that or did it start doing that after you changed something? i have found the problem with coinbase --->Merchant tools are disabled for this account. Please contact support.<---- Don't know why that would happen, do what it says and contact Coinbase support.
|
|
|
104
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 18, 2015, 07:52:39 PM
|
It could be a problem with your Coinbase settings. Enable coinbase debugging to get more information about the problem. I'm guessing you haven't filled out your merchant profile properly.
That notice isn't doing any harm but can be fixed by removing lines 108 and 118 in the /sci/process-order.php file (both places the $_SESSION['ship_order'] variable is used).
|
|
|
106
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 17, 2015, 06:21:53 AM
|
Just found another bug in 1.0.7, checking the balance of an address on the order details page would alert the admin that the order had been paid even if it hadn't been. It also wasn't recording the true amount paid when being manually confirmed that way. Download BitShop again and update the /inc/admin/orders.inc.php page to fix those issues.
|
|
|
110
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 15, 2015, 02:37:12 PM
|
I didn't realize GoCoin had a way to do callback tests, it's not very easy to find is it. Anyway I have fixed the problem, transactions should be processed automatically now. Anyone using Coinbase will also need to apply this fix. Download BitShop again and replace these files:
/sci/gateways/gocoin/callback.php /sci/gateways/coinbase/callback.php /inc/admin/orders.inc.php
|
|
|
112
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 14, 2015, 01:04:15 PM
|
It can be anything you want as long as it's not predictable. all transacst must be manualy confirm? is this correct or a bug? If the callback script is not called before the user is returned to your shop then it will tell the buyer to wait while the transaction is processed, it doesn't mean the admin has to process the transaction manually, it means you have to wait until the callback script gets called by GoCoin. But if there's any issues with the callback script it wont get confirmed. It looks to me like the callback script should have already been called so I'm guessing there's a problem with it. Are there any error log files inside of the /sci/gateways/gocoin/ folder?
|
|
|
113
|
Economy / Digital goods / Re: BitShop - digital bitcoin shop script [PHP/MYSQL] (v1.0.7)
|
on: August 14, 2015, 11:52:09 AM
|
Ähhhm waht is the callback uri for gocoin i have regged a new account. Goocoin iss new land for me.
There is no callback url setting in your GoCoin account settings like there is with Coinbase. The callback url is passed to GoCoin when the order is being created. You'll know if it works or not when you complete a transaction using the GoCoin gateway. If the transaction gets confirmed then the callback script must have worked.
|
|
|
|