BitShop - cryptocurrency shopping cart script [PHP/MYSQL] (v1.1.2)

[bitfreak!]

I was recently made aware of a CSRF exploit in BitShop which could cause damage if the attack is successful. To prevent it from happening make sure you log out of the admin area when you're finished and be careful not to click any shady links while you're logged in as admin.

Technical details:

The way the exploit works is that the attacker will some how convince the admin to click a link while they are logged in as admin. The link will take the admin to a page on the attackers website. The page will contain some javascript which will submit a hidden form and post data to the BitShop script. Even though the post request is coming from a different domain the admin session will still be resumed because the request came from the web browser of the admin when they visited the attack page.

This is actually one of the attack vectors I didn't know much about up until now because I was never taught about CSRF attacks in my web development classes and I always assumed that it wouldn't be possible to resume a session so easily when the request isn't made locally but apparently I was mistaken. It seems quite ridiculous that it would work that way without any sort of safe guard. Anyway I'll include a patch for the exploit in the next release of BitShop because several files need to be edited.

[1714958927]

1714958927

[1714958927]

1714958927

[1714958927]

1714958927

[1714958927]

1714958927

[1714958927]

1714958927

[1714958927]

1714958927

[Pc3ooT]

Waaaht!!!

hehe ok i will see kill my sessions after my work.
Coinbase have my acc banned 

Can i resell your Script on my page?
next question
Can I be your script on 2 sides of me to use or I have to buy again?

PS:
I plan a Web page where newcomers and to share advanced people. However, in the German area. If you feel like you have can indeed times over watching you since in my opinion a good PHP developer are.

[SteamGamesBTC.com]

Can i resell your Script on my page?
next question
Can I be your script on 2 sides of me to use or I have to buy again?

license.txt says:

SUMMARY:
-Can be used on 1 site, 1 server
-Source-code cannot be resold or distributed
-Commercial use allowed
-Can modify source-code but cannot distribute derivative works

[Pc3ooT]

Can i resell your Script on my page?
next question
Can I be your script on 2 sides of me to use or I have to buy again?

license.txt says:

SUMMARY:
-Can be used on 1 site, 1 server
-Source-code cannot be resold or distributed
-Commercial use allowed
-Can modify source-code but cannot distribute derivative works

Yes that's why I ask the developer for a special right.

so I'll try it with self-smtp support installed.

//edit

What also would be a good thing I was not able to find what directories and FILES write permissions need

[bitfreak!]

I was thinking about adding some sort of affiliate or reseller system but I wont get around to it for a while.

If you want to use BitShop on another website then you'll need to purchase BitShop again (get the one-time download).

[Pc3ooT]

Ok thx its the self site

Ok, I have another question.
how can I find out why the Transactions feed is not loaded?

when it is empty shows that too.
But is what's inside is just feed charge and the hours

***Edit***
Screens
http://prntscr.com/89ny58

http://prntscr.com/89nynm

[bitfreak!]

So the feed wont load even when it's enabled and contains items? You do have javascript enabled right?

[Pc3ooT]

Yes Javascript is global enabled. on my other Pages works Javascript normal
JQuery is loading
http://prntscr.com/89yo2l

http://prntscr.com/8a0aer

[bitfreak!]

Well the feed seems to be working on my local installation so I'm not sure why it isn't working for you. I'll probably need to take a look at your website to figure it out.

[bitfreak!]

Ok the feed.php page isn't showing anything so that must be the problem. Seems like the /inc/rss.inc file cannot be read for some reason, I'm guessing it is a permission error. To answer your question about permissions, all the folders should be set to 755 and all the files should be set to 644 or 744. In some cases you might also need to make sure that the files which need to be written to are owned by apache, the easiest way to do that is to allow PHP to create those files. The files which need to be written to include /inc/rss.inc, /inc/email_body.inc, /inc/feat_ids.inc, and all the config and log files in the inc and sci folders (if you're able to change the settings from within the admin area then the config files must be writable).

[Pc3ooT]

I have adjusted the right way. The browser type view-source: uri.
Then he showed me the contents. But on the home page simply nothing changes.
http://prntscr.com/8amk0t
the problem may lie on apache2 version 2.4?
http://prntscr.com/8amxcv

[bitfreak!]

I had a closer look and it's actually an encoding problem causing the XML code to be invalid. Since you're using a language with unicode characters they are being encoded as html characters, which the rss feed doesn't seem to like. I'll upload a fixed version of BitShop shortly, I just want to fix one other bug first. For now you should be able to fix the feed by opening rss.inc and replacing all occurrences of ü with ü.

[Pc3ooT]

ohh yes its work now.
Ok i have change in my Language für to fuer.

ThX

[Pc3ooT]

A request I would have there also still for the next version.
Namely, the one in the admin area can change the account passwords!
Since I festellen now repeatedly had to my server not on web.de sends the mails.

With the SMTP server I've even not yet business is a little intricacies that Strucktur

[smokey999]

when i use default Gateway and send the bitcoin i get the follow error:

Status: Call to a member function query() on a non-object in /home/smokeyjo/public_html/lib/database.lib.php on line 146


http://prntscr.com/8bht3n


So what s wrong?

[bitfreak!]

@smokey999: That error means a database connection was not established. You may have downloaded a buggy version of 1.0.7 before I fixed it. Try downloading BitShop again and replace your files. I am also going to release v1.0.8 within the next 24 hours and it will contain a few more bug fixes as well as a fix for the CSRF vulnerability, so you might want to just wait until I release the next version.

[bitfreak!]

Version 1.0.8 of BitShop has been released. It fixes a few bugs and CSRF vulnerabilities. It does not add any new features but it is highly recommended to apply this update as it will make BitShop more secure. Anyone with a BitShop key can download the new version in the client file area.

[SteamGamesBTC.com]

@bitfreak! You rocks! PS. Update the title of thread. ;-)

[bitfreak!]

@bitfreak! You rocks! PS. Update the title of thread. ;-)

Thanks for reminding me. I have also added a new screenshot since the old one was a bit outdated.

[bitfreak!]

@SteamGamesBTC.com: so have you updated BitShop to the latest version yet?

EDIT: Had a look at your website and you still seem to be running an old version. You really should update, the new version is better in almost every possible way.