Found a rather interesting string in HTML on the demo server..
Really this could be exploited.... You should look into obfuscated code,
Someone doing some "deep" digging into this would find the exploit..
I am running some tests and will post the results...
Quote
| INTERESTING STRINGS IN HTML
|
| small>Password:
| button onclick=\"javascript:passwd_protect();return false;\" style=\"padding: 4px;\">Set Password
| img src="content/images/ajax_loader.gif">'); withdrawing=true; _requestWithdraw(w_amount,w_valid); } else { alert('One of required fields stayed empty!'); } } } }); return false; } function passwd_protect() { pass=prompt('Password:'); if (pass!=null && confirm('Your pasword: '+pass+'\nDo you really want to protect your URL with this password?')) { $.ajax({ 'url': './content/ajax/protect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z&pass='+pass, 'dataType': "json", 'success': function(data) { alert('New password has been saved. Your unique URL is now password protected!'); window.location.href='./'; } }); } } function passwd_unprotect() { if (confirm('Do you really want to remove password protection from your unique URL?')) { $.ajax({ 'url': './content/ajax/unprotect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { alert('Your URL password protection has been successfuly removed!'); window.location.href='./'; } }); } } function _changeAlias(alias) { if (alias!=null && alias!='') { $.ajax({ 'url': './content/ajax/change_alias.php?alias='+alias+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { if (data['error']=='no') $("#alias_sp").html(alias); else alert(data['content']); } }); } else if (alias=='') alert('Invalid value!'); } function tm_interval_content_(con) { $.ajax({ 'url': './content/ajax/_stats_load.php?con='+con+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { $("#all.stats #content").html(data['content']); $("#content.stats_switcher a.current").removeClass('current'); $("#content.stats_switcher a#_st_"+con).addClass('current'); } }); if (con!='giveaway' && con!='chat' && con!='stats') timeout_=setTimeout("tm_interval_content_('"+con+"')",1000); } function _stats_content(con) { if (typeof(timeout_)!='undefined') { clearTimeout(timeout_); } tm_interval_content_(con); } var lastClaimed=(Date.now()-(60*1000)-1000); function claim(captcha) { if (lastClaimed
| span id='passwd_sp'>
| img src="content/images/ajax_loader.gif">'); withdrawing=true; _requestWithdraw(w_amount,w_valid); } else { alert('One of required fields stayed empty!'); } } } }); return false; } function passwd_protect() { pass=prompt('Password:'); if (pass!=null && confirm('Your pasword: '+pass+'\nDo you really want to protect your URL with this password?')) { $.ajax({ 'url': './content/ajax/protect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z&pass='+pass, 'dataType': "json", 'success': function(data) { alert('New password has been saved. Your unique URL is now password protected!'); window.location.href='./'; } }); } } function passwd_unprotect() { if (confirm('Do you really want to remove password protection from your unique URL?')) { $.ajax({ 'url': './content/ajax/unprotect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { alert('Your URL password protection has been successfuly removed!'); window.location.href='./'; } }); } } function _changeAlias(alias) { if (alias!=null && alias!='') { $.ajax({ 'url': './content/ajax/change_alias.php?alias='+alias+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { if (data['error']=='no') $("#alias_sp").html(alias); else alert(data['content']); } }); } else if (alias=='') alert('Invalid value!'); } function tm_interval_content_(con) { $.ajax({ 'url': './content/ajax/_stats_load.php?con='+con+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { $("#all.stats #content").html(data['content']); $("#content.stats_switcher a.current").removeClass('current'); $("#content.stats_switcher a#_st_"+con).addClass('current'); } }); if (con!='giveaway' && con!='chat' && con!='stats') timeout_=setTimeout("tm_interval_content_('"+con+"')",1000); } function _stats_content(con) { if (typeof(timeout_)!='undefined') { clearTimeout(timeout_); } tm_interval_content_(con); } var lastClaimed=(Date.now()-(60*1000)-1000); function claim(captcha) { if (lastClaimed
| i>Each deposit requires confirmation(s) before adding to your account
| /div>", type:"info", opacity:0.8, buttons: [{ value: "Close" }], afterShow:"reloadFaircon()" }); return false; } function account() { $.msgBox({ title:"Account", content:"
| a href="#" onclick="javascript:return account();">ACCOUNT
|
| small>Password:
| button onclick=\"javascript:passwd_protect();return false;\" style=\"padding: 4px;\">Set Password
| img src="content/images/ajax_loader.gif">'); withdrawing=true; _requestWithdraw(w_amount,w_valid); } else { alert('One of required fields stayed empty!'); } } } }); return false; } function passwd_protect() { pass=prompt('Password:'); if (pass!=null && confirm('Your pasword: '+pass+'\nDo you really want to protect your URL with this password?')) { $.ajax({ 'url': './content/ajax/protect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z&pass='+pass, 'dataType': "json", 'success': function(data) { alert('New password has been saved. Your unique URL is now password protected!'); window.location.href='./'; } }); } } function passwd_unprotect() { if (confirm('Do you really want to remove password protection from your unique URL?')) { $.ajax({ 'url': './content/ajax/unprotect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { alert('Your URL password protection has been successfuly removed!'); window.location.href='./'; } }); } } function _changeAlias(alias) { if (alias!=null && alias!='') { $.ajax({ 'url': './content/ajax/change_alias.php?alias='+alias+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { if (data['error']=='no') $("#alias_sp").html(alias); else alert(data['content']); } }); } else if (alias=='') alert('Invalid value!'); } function tm_interval_content_(con) { $.ajax({ 'url': './content/ajax/_stats_load.php?con='+con+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { $("#all.stats #content").html(data['content']); $("#content.stats_switcher a.current").removeClass('current'); $("#content.stats_switcher a#_st_"+con).addClass('current'); } }); if (con!='giveaway' && con!='chat' && con!='stats') timeout_=setTimeout("tm_interval_content_('"+con+"')",1000); } function _stats_content(con) { if (typeof(timeout_)!='undefined') { clearTimeout(timeout_); } tm_interval_content_(con); } var lastClaimed=(Date.now()-(60*1000)-1000); function claim(captcha) { if (lastClaimed
| span id='passwd_sp'>
| img src="content/images/ajax_loader.gif">'); withdrawing=true; _requestWithdraw(w_amount,w_valid); } else { alert('One of required fields stayed empty!'); } } } }); return false; } function passwd_protect() { pass=prompt('Password:'); if (pass!=null && confirm('Your pasword: '+pass+'\nDo you really want to protect your URL with this password?')) { $.ajax({ 'url': './content/ajax/protect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z&pass='+pass, 'dataType': "json", 'success': function(data) { alert('New password has been saved. Your unique URL is now password protected!'); window.location.href='./'; } }); } } function passwd_unprotect() { if (confirm('Do you really want to remove password protection from your unique URL?')) { $.ajax({ 'url': './content/ajax/unprotect_url.php?_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { alert('Your URL password protection has been successfuly removed!'); window.location.href='./'; } }); } } function _changeAlias(alias) { if (alias!=null && alias!='') { $.ajax({ 'url': './content/ajax/change_alias.php?alias='+alias+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { if (data['error']=='no') $("#alias_sp").html(alias); else alert(data['content']); } }); } else if (alias=='') alert('Invalid value!'); } function tm_interval_content_(con) { $.ajax({ 'url': './content/ajax/_stats_load.php?con='+con+'&_unique=1SKNkgGOqVHNiNIlSD4yesGdtyehp34z', 'dataType': "json", 'success': function(data) { $("#all.stats #content").html(data['content']); $("#content.stats_switcher a.current").removeClass('current'); $("#content.stats_switcher a#_st_"+con).addClass('current'); } }); if (con!='giveaway' && con!='chat' && con!='stats') timeout_=setTimeout("tm_interval_content_('"+con+"')",1000); } function _stats_content(con) { if (typeof(timeout_)!='undefined') { clearTimeout(timeout_); } tm_interval_content_(con); } var lastClaimed=(Date.now()-(60*1000)-1000); function claim(captcha) { if (lastClaimed
| i>Each deposit requires confirmation(s) before adding to your account
| /div>", type:"info", opacity:0.8, buttons: [{ value: "Close" }], afterShow:"reloadFaircon()" }); return false; } function account() { $.msgBox({ title:"Account", content:"
| a href="#" onclick="javascript:return account();">ACCOUNT
Really this could be exploited.... You should look into obfuscated code,
Someone doing some "deep" digging into this would find the exploit..
I am running some tests and will post the results...
Please do so I'm interested in buying this, but I am hearing too many bad things about its code quality. I'd rather spend a lot of money for a good script than some for a bad script, because a bad script will result in total money waste.