Bitcoin Forum
September 28, 2021, 09:11:06 PM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 »
1  Bitcoin / Pools / Re: Mainframe MC News - Sep 2011 (2 months in service!!!) on: September 14, 2011, 01:24:13 PM
Just wanted to add AnnihilaT is very engaged with this mining pool and can be reached just about anytime using the IRC channel #mainframe.nl on freenode.

Also, both the pool backend and frontend software are open source which provides exceptional transparency.

There is also a GET/JSON web API for developers that works very well.

Give MMC a try today and formulate your own opinion!
http://mining.mainframe.nl
2  Bitcoin / Pools / Re: [ ~230 GH/s ] Mainframe Mining Cooperative - PPLNS+, 8dec, SSL, API, LP on: September 14, 2011, 01:14:20 PM
The recent run of good luck at MMC is sweet!  Grin
3  Bitcoin / Project Development / Re: Need Help Starting an exchange on: September 08, 2011, 12:17:31 PM
I would suggest doing a "hack-a-thon" like Xenland did before going live with any type of site.  Much better for us to point out flaws/holes in your system before going live.  As for just worrying about PHP security, there are many other angles of attack that need constant attention and monitoring.

And IMO, an exchange will be a prime target since you will be holding BTC.
4  Bitcoin / Project Development / Re: how are you pulling JSON from exchanges? on: August 31, 2011, 04:15:10 PM
What exchanges are you looking to extract JSON data from?

I have written libraries for some exchanges already.  See my sig
5  Bitcoin / Project Development / Re: Cheaper In Bitcoins [Target beta date: September 1st] on: August 22, 2011, 01:51:38 PM
I can attest the site is secure.  Grin
6  Bitcoin / Project Development / Re: [Hack-A-Thon: Round 2 is a go!] Hack my site {Server back up} on: August 19, 2011, 11:40:56 PM
Nitpicking...

Apache/2.2.17 (Ubuntu)
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

PHP/5.3.5-1ubuntu7
Your PHP version is being displayed in HTTP response.

Cookie was not marked as HTTPOnly
HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.

register_password form field in login.php allows autocomplete
disable autocomplete

Apache MultiViews option is enabled
This vulnerability can be used for locating and obtaining access to some hidden resources.

Say when...  Grin



7  Bitcoin / Project Development / Re: [Hack-A-Thon: Round 2 is a go!] Hack my site {Server back up} on: August 19, 2011, 10:59:47 PM
Is it OK to go after the database server itself?

I won't kill it.  Grin
8  Bitcoin / Project Development / Re: [Hack-A-Thon: Round 2 is a go!] Hack my site {Server back up} on: August 19, 2011, 10:52:07 PM
1) login.php is transmitting the password over regular HTTP. 

2)I'm still able to insert Javascript/Perl/PHP/SQL into your database

And you should be able to watch some of the things I'm doing right now... I'm giving your forms a workout.  Grin
9  Bitcoin / Project Development / Re: [Hack-A-Thon: Round 2 is a go!] Hack my site {Server back up} on: August 19, 2011, 10:05:01 PM
On it. Trying a few other angles this go around...  Wink
10  Bitcoin / Bitcoin Discussion / Re: Live mobile bitcoin conference stream. on: August 19, 2011, 05:36:18 PM
+1 for those of us who cant make it.
11  Bitcoin / Bitcoin Technical Support / Re: PHP RPC API: How to get the returned txid? on: August 18, 2011, 10:46:21 PM
Wow.

Just Wow.
12  Bitcoin / Project Development / Re: [Hack-A-Thon: In-Progress] Hack my site (Server Back up) on: August 18, 2011, 10:30:38 PM
SQL injection in qty parameter of cart.php?

If you send a single quote (') for the qty parameter,

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00'

you get a mysql database error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1' at line 4

If you use two single quotes instead:

Code:
POST /cart.php?act=add&productId= HTTP/1.1
***SNIP HEADERS ***

qty=1%00''

you don't get the error:

Code:
HTTP/1.1 302 Found
Date: Thu, 18 Aug 2011 04:21:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Location: /login.php?
Vary: Accept-Encoding
Content-Length: 13
Connection: close
Content-Type: text/html


So it looks like the site tries to block SQL injection, but you just URL-encode a NULL (%00) before the quote or whatever's getting blocked, and you've gotten around the filter.

So is this some kind of php extension that's checking for sql injection characters like the single quote?

Did you develop the shopping cart in-house, or is it "third-party" software?

Can you show us the code?

While it doesn't fix or prevent the underlying sql injection issue in the php code, I would have your developer add some more "friendly" and generic error handling so these mysql errors don't get sent back to the user.

I'm sure by the time I finish typing this someone will show you how to actually exploit the sql injection vulnerability.

From what I can tell you, I've basically just mysql_real_escape_string()'d everything before getting set to functions as well as the functions themselves mysql_real_escape_string().

Use PHP exceptions to check form input and handle any errors (ie. try/catch).  You can even extend the exception class to your liking.  I am willing to help you with this if need be.
13  Bitcoin / Project Development / Re: [Hack-A-Thon: End of round 1] Hack my site (Changing servers) on: August 18, 2011, 09:37:15 PM
Take a look at some of the email addresses that were submitted.  Was able to submit and it accept full php statements.  Which means I can implant code snippets in the database for later use.

Ie. You do a JOIN with First Name last name to display on page.  You will begin assembling code snippets for me. Smiley

You need conditionals to test for exactly the type data that will be submitted in each form field and most importantly escape anything and everything being submitted to you in forms.  And lastly, escape everything.
14  Economy / Services / Re: Php Help + InstantWallet API help - 1-3 BTC on: August 18, 2011, 02:41:48 PM
PM sent.
15  Alternate cryptocurrencies / Altcoin Discussion / Re: Bitcoin 2.0, not l0coin on: August 18, 2011, 11:28:13 AM
I'm not having the same problems with the client in server mode.  Mine has been running for 38 hours with no hiccups and mined 248 blocks.
16  Alternate cryptocurrencies / Altcoin Discussion / Re: I0coin - HOW MANY BLOCKS U GOT? on: August 17, 2011, 05:40:48 PM
The coins go to my wallet, I just give them an IOU Smiley.  I've just been nice enough to honor those IOUs.

Best stay that way too...  Grin
17  Alternate cryptocurrencies / Altcoin Discussion / Re: New Ixcoin fork -> I0coin on: August 16, 2011, 08:14:35 PM
I still can't connect.
Tried both io.btcguild.com and i0.btcguild.com

btcguild needs to compile the updated software and load it before they can start. So it's probably not going to work for at least a good half an hour depending on how fast the compiling server is and how long it takes to compile the bitcoin code.



It's like 30 seconds.

If you have all the dependencies compiled and your Machine is damm fast, Ok.
If you start from scratch, it would take hours.

Hours??  What compiler are you using?

So if i0Guild had the test server up and running (which they did), wouldn't the dependencies already be taken care of.  I think they traded in their commodore/64 a couple months back when BTC surged to $30  Grin
18  Alternate cryptocurrencies / Altcoin Discussion / Re: New Ixcoin fork -> I0coin on: August 16, 2011, 08:08:59 PM

They'd also need to read through the code before compiling. Could be anything in there. Maybe something targeting their bitcoins.

Thats what diff is for...
19  Alternate cryptocurrencies / Altcoin Discussion / Re: New Ixcoin fork -> I0coin on: August 16, 2011, 08:02:22 PM
LOL
20  Alternate cryptocurrencies / Altcoin Discussion / Re: New Ixcoin fork -> I0coin on: August 16, 2011, 07:41:18 PM
[2011-08-16 21:35:35] Pool 0 http://i0.btcguild.com:8332 not responding!
[2011-08-16 21:35:35] Pool 0 http://i0.btcguild.com:8332 not responding!
[2011-08-16 21:36:35] Pool 0 http://i0.btcguild.com:8332 not responding!
[2011-08-16 21:36:35] Pool 0 http://i0.btcguild.com:8332 not responding!
[2011-08-16 21:37:35] Pool 0 http://i0.btcguild.com:8332 not responding!
[2011-08-16 21:37:35] Pool 0 http://i0.btcguild.com:8332 not responding!

This will be two fold: I0Coin must be up and the I0Guild must have the new miner installed for this to prove anything.
Pages: [1] 2 3 4 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!