[100bit.co.in] Earn up to 0.1 BTC for finding bugs

[sbankerdemon]

In http://www.100bit.co.in/settings.php

the name testbox is also vulnerable to xss

if you enter

Code:

sbank"><script>alert(12);</script>

you will be able to see prompt

[100bitcoin]

XSS attack & SQL injection problem on all pages are already known and those bounties will go for mainly to MagicSnow & partly to seoincorporation. Requesting everyone to find some other bug.

[PotatoPie]

1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi)
3. No CSRF protection anywhere
4. Vulnerable to clickjacking.
5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page.
6. "Name" on settings page vulnerable to XSS.
7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on.
8. Payment mode on the orders page is vuln to persistent XSS.
9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid]
10. Persistent XSS in orders page by editing currency or country POST fields.
11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED.
12.  About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site.
13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them
14. XSS on the reply field of the ticket system.
15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them.

I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP.

Regards,
PotatoPie.

[Roberson]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

[100bitcoin]

1. The captcha could easily be detected by using OCT Tesseract, so that's completely useless.
2. http://www.100bit.co.in/authenticate.php?user_id=" (SQLi)
3. No CSRF protection anywhere
4. Vulnerable to clickjacking.
5. Modifying currency / country in settings so that the value = A string that breaks SQLi http://gyazo.com/70267440848463cbe9cf22e38fdc08cd (Not sanitized) so another SQLi here. Shows this SQLi on trade page.
6. "Name" on settings page vulnerable to XSS.
7. Shouldn't allow negative currencies http://gyazo.com/509791dd4e4fc300272d26e936cbcb12 . Massive issues could arise later on.
8. Payment mode on the orders page is vuln to persistent XSS.
9. By the looks of it, you can delete others buy orders http://www.100bit.co.in/order.php?mode=del&type=Buy&order_id=[orderid]
10. Persistent XSS in orders page by editing currency or country POST fields.
11. SQLi in trade page in post vars order and field. Escaping a string is not sufficient here as you're allowing the the person to chose the MySQL column. NEVER ALLOW THE CLIENT ACCESS TO ANYTHING THAT NEEDS TO BE DONE SERVER SIDED.
12.  About Me in settings allows HTML, leads to XSS and other things such as good old iframing -> clickjacking on your site.
13. You can see everyone elses ticket IDs http://www.100bit.co.in/reply.php?ticket_id=[ticketid] and reply to them
14. XSS on the reply field of the ticket system.
15. The verify email token is an encrypted text that you obviously try to decrypt (I can see in the SQLi in authenticate.php). Don't have any tokens that contain informative values in them.

I think I'll finish up there, I could probably continue and find even more. The site is heavily vulnerable and I would highly suggest allowing legitimate trading on it until all issues are fixed. I'd also suggest you use a PHP Framework such as laravel as you're not quite proficient in security with basic PHP.

Regards,
PotatoPie.

Thanks for the list. Most of your points are related to XSS or SQLi attack, which are already known and will be fixed soon. Once those are fixed, I'll PM you to check if you can still find problem and if you do, you'll definitely be awarded bounty for that.

[100bitcoin]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

[seoincorporation]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

And when you will pay the bounty  more than 1 day waiting now...

[BitcoinExchangeIndia.com]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

And when you will pay the bounty  more than 1 day waiting now...

I think OP already stated it before...

No need to worry about payment. As already stated to some of you in the PM, the main problems of XSS & SQL injection are not yet solved. Payment will be sent to all together after fixing those issues. It is good if you can find more bugs in the mean time.

[RealPhotoshoper]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

[sbankerdemon]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

[100bitcoin]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

[PotatoPie]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

If you read over my list, you'd see a few.

[seoincorporation]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

But when we will get it? what are we waiting?

[100bitcoin]

Earlier u said u will give me small bounty, now saying nothing, isnt good for a site owner, well have a good day !

You will definitely receive the small bounty we promised you. The bug you found is not related to XSS or SQLi. So, why should we drop you from the list ?

in the title and the first post you didnt say bugs related to XSS or SQLi , it means any bugs. but now you say "The bug you found is not related to XSS or SQLi" , so is my report qualified for the bounty?

Thanks

XSS & SQLi bugs were first pointed out by MagicSnow & seoincorporation. So they are the 2 who will get bounty for those. What is the point of paying for a bug, which is already known ? Those who are finding other bugs will also be awarded bounty. That is why I am pointing to the order execution page on which no one has found a bug so far. Please note that the same XSS & SQLi bugs already exist in that page too. So no bounty for finding that known glitch.

But when we will get it? what are we waiting?

Payment will be sent to all together after fixing those issues. At this moment some of the issues are solved and we are PMing those who raised it. After resolution of the raised bugs everyone will be paid together.

[100bitcoin]

As promised, here is the list of bug bounty winners...

MagicSnow (https://bitcointalk.org/index.php?action=profile;u=239728) => 1EvbdVpBHZbyT9AVY4xBASTisoWpGH5B1J = 0.1
Bugs Found: XSS, SQLi, Unauthenticated Ticket access, Unauthenticated Order deletion.

seoincorporation (https://bitcointalk.org/index.php?action=profile;u=334783) => 1BtcBoSSnqe8mFJCUEyCNmo3EcF8Yzhpnc = 0.05
Bugs Found: Automated ticket creation, Independenly found XSS attack though MagicSnow PMed it before.

franckuestein (https://bitcointalk.org/index.php?action=profile;u=225121) => 0.01
Bugs Found: Spelling Mistake

Roberson (https://bitcointalk.org/index.php?action=profile;u=490361) => 1CBUepodCZvoQnPYLM4oNPf6U3hQAZDBuw = 0.03
Bugs Found: Found 404 error led by broken link

RealPhotoshoper (https://bitcointalk.org/index.php?action=profile;u=497745) => ? = 0.03
Bugs Found: Blank registration page after wrong input and a Good suggestion for email

At this moment we are waiting for the address of RealPhotoshoper before sending the payments. We have sent him a PM. Also PotatoPie was contacted about some bugs, but we never heard of him.

[Coinbuddy]

It says
Please provide an eight character alphanumeric password.
But i can set password as "abcdefig"

Another thing
I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!

[RealPhotoshoper]

received my payment thanks! goodluck for your business!

[sbankerdemon]

your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:

https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

[sbankerdemon]

Also there is a full path disclosure vulnerability in captcha.php

If you save the captcha image from this page and view in hex editor you can see the complete server path to the file.

[Jimmy Wales]

your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:

https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.