sbankerdemon
Full Member
Offline
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
|
|
April 09, 2015, 10:16:46 PM |
|
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
|
|
|
|
Jimmy Wales
Member
Offline
Activity: 143
Merit: 17
|
|
April 09, 2015, 10:24:20 PM |
|
Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ?
|
|
|
|
sbankerdemon
Full Member
Offline
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
|
|
April 09, 2015, 10:28:06 PM |
|
Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
Is there some SQL injection possible at email authentication link ? It seems another user was talking about it or is that fixed now ? I am not aware it was there before or not but seems to be fixed now.
|
|
|
|
PotatoPie
Member
Offline
Activity: 97
Merit: 10
|
|
April 10, 2015, 03:58:51 AM Last edit: April 10, 2015, 08:23:57 AM by PotatoPie |
|
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.
|
BTC Address: 13mUzcjYysbgNWstbasJ3PVkPB2nCUEqFg
|
|
|
|
Coinbuddy
|
|
April 10, 2015, 01:24:14 PM |
|
It says Please provide an eight character alphanumeric password. But i can set password as "abcdefig"
Another thing I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!
@100bitcoin I think you missed this
|
|
|
|
seoincorporation
Legendary
Offline
Activity: 3318
Merit: 3097
|
|
April 10, 2015, 02:54:31 PM |
|
I get the 0.05 payment, thx to user 100Bitcoin.
|
|
|
|
100bitcoin (OP)
|
|
April 10, 2015, 04:29:19 PM |
|
It says Please provide an eight character alphanumeric password. But i can set password as "abcdefig"
Requesting users to provide alphanumeric password is a suggestion for strong password. But, if someone provides a weak one, it is their choice and we allow it. Another thing I just need to put captcha when submitting a ticket.It does not say that you must write subject and description.So people can spam the system by using a bot!
Unless the CAPTCHA is broken, one can not spam the system using bot instead of allowing blank post in subject/description.
|
|
|
|
Jimmy Wales
Member
Offline
Activity: 143
Merit: 17
|
|
April 10, 2015, 04:36:58 PM |
|
Also there is a full path disclosure vulnerability in captcha.php If you save the captcha image from this page and view in hex editor you can see the complete server path to the file. Is it a bug ? How does it affect the service ? What harm an attacker can do by knowing the full path of captcha.php ?
|
|
|
|
andulolika
Legendary
Offline
Activity: 2324
Merit: 1047
|
|
April 10, 2015, 05:17:51 PM |
|
Hey if you ever think about translating the webpage i can do Spanish and Romanian, English and between themselves. Thanks.
|
|
|
|
sbankerdemon
Full Member
Offline
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
|
|
April 10, 2015, 09:31:40 PM |
|
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. If you reported it before me then you should get the bounty.
|
|
|
|
100bitcoin (OP)
|
|
April 14, 2015, 12:34:40 AM |
|
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha. It can be easily decoded with any OCR for example https://code.google.com/p/tesseract-ocr/downloads/list use tesseract-ocr-setup-3.02.02.exe after installing this just run command tesseract captcha.png decoded.txt -l eng example: It will be accurate 95% of times. It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc. thanks How will the attacker create 1000's of new users ? It seems email authentication is required to create each user. Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha. I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users. In addition to this, there are more vulnerabilities that have been unpatched. 1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable. 2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable. 3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it. 4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well. I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it. If you reported it before me then you should get the bounty.
Can you please check if the bugs you mentioned still do exist in the system or they are fixed now ? Please do let us know if you can find any other bug. Please PM us with example. Also, please provide your bitcoin address...
|
|
|
|
btc_enigma
|
|
April 14, 2015, 08:11:37 AM |
|
Register is not working When i clicked on activation email Its redirecting to register page and doing nothing
|
|
|
|
Jimmy Wales
Member
Offline
Activity: 143
Merit: 17
|
|
April 14, 2015, 03:39:13 PM |
|
Register is not working When i clicked on activation email Its redirecting to register page and doing nothing It seems the registration page clearly states the following... Warning! We are working on the system. New registration is disabled for now.
|
|
|
|
100bitcoin (OP)
|
|
April 14, 2015, 05:31:17 PM |
|
Register is not working When i clicked on activation email Its redirecting to register page and doing nothing It seems the registration page clearly states the following... Warning! We are working on the system. New registration is disabled for now.
We have enabled new registration again...
|
|
|
|
Mehek
|
|
April 15, 2015, 01:01:37 AM |
|
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
|
|
|
|
Jimmy Wales
Member
Offline
Activity: 143
Merit: 17
|
|
April 15, 2015, 09:39:47 AM |
|
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
I dont think they can do much about it. Google NoCaptcha ReCaptcha does not work on partial javascript browsers like Opera Mini or old IE browsers. That should not be counted as a bug. As such Google NoCaptcha ReCaptcha is a very safe and reliable one.
|
|
|
|
Johny Depp
Full Member
Offline
Activity: 211
Merit: 125
busting the bastards
|
|
April 15, 2015, 03:51:40 PM |
|
Could not find any more bug. When do you plan to remove the warning from registration page ?
|
Exposing frauds since 2014
|
|
|
mrhelpful
Legendary
Offline
Activity: 1456
Merit: 1002
|
|
April 15, 2015, 04:13:06 PM |
|
At this point, I dont think theres any bugs to find.
I could be wrong, but the very basic ones that were obvious are long gone for some free btc lol. So anyone hoping to get it that way youre out of luck, its more of the indepth coder to see if its vulnerable or not.
|
|
|
|
googleindo
|
|
April 20, 2015, 12:00:20 AM |
|
what is this? http://www.100bit.co.in/admin , let me know if this helpful. also maybe in 404 error page you should added text like " the page is not found " or something else
|
|
|
|
|