bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 19, 2015, 01:14:26 PM Last edit: August 23, 2015, 05:37:58 AM by bitfreak! |
|
I was recently made aware of a CSRF exploit in BitShop which could cause damage if the attack is successful. To prevent it from happening make sure you log out of the admin area when you're finished and be careful not to click any shady links while you're logged in as admin.
Technical details:
The way the exploit works is that the attacker will some how convince the admin to click a link while they are logged in as admin. The link will take the admin to a page on the attackers website. The page will contain some javascript which will submit a hidden form and post data to the BitShop script. Even though the post request is coming from a different domain the admin session will still be resumed because the request came from the web browser of the admin when they visited the attack page.
This is actually one of the attack vectors I didn't know much about up until now because I was never taught about CSRF attacks in my web development classes and I always assumed that it wouldn't be possible to resume a session so easily when the request isn't made locally but apparently I was mistaken. It seems quite ridiculous that it would work that way without any sort of safe guard. Anyway I'll include a patch for the exploit in the next release of BitShop because several files need to be edited.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 26, 2015, 10:20:14 AM |
|
Waaaht!!! hehe ok i will see kill my sessions after my work. Coinbase have my acc banned Can i resell your Script on my page? next question Can I be your script on 2 sides of me to use or I have to buy again? PS: I plan a Web page where newcomers and to share advanced people. However, in the German area. If you feel like you have can indeed times over watching you since in my opinion a good PHP developer are.
|
|
|
|
SteamGamesBTC.com
|
|
August 26, 2015, 10:25:30 AM |
|
Can i resell your Script on my page? next question Can I be your script on 2 sides of me to use or I have to buy again? license.txt says: SUMMARY: -Can be used on 1 site, 1 server -Source-code cannot be resold or distributed -Commercial use allowed -Can modify source-code but cannot distribute derivative works
|
►SteamGamesBTC.com◄ > Automatic 24/7 bot: purchase any Steam game 20% cheaper with Bitcoin! <
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 26, 2015, 10:43:22 AM Last edit: August 26, 2015, 06:50:52 PM by Pc3ooT |
|
Can i resell your Script on my page? next question Can I be your script on 2 sides of me to use or I have to buy again? license.txt says: SUMMARY: -Can be used on 1 site, 1 server -Source-code cannot be resold or distributed -Commercial use allowed -Can modify source-code but cannot distribute derivative works Yes that's why I ask the developer for a special right. so I'll try it with self-smtp support installed. //edit What also would be a good thing I was not able to find what directories and FILES write permissions need
|
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 27, 2015, 09:15:51 AM |
|
I was thinking about adding some sort of affiliate or reseller system but I wont get around to it for a while.
If you want to use BitShop on another website then you'll need to purchase BitShop again (get the one-time download).
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 27, 2015, 09:47:36 PM Last edit: August 27, 2015, 10:03:21 PM by Pc3ooT |
|
Ok thx its the self site Ok, I have another question. how can I find out why the Transactions feed is not loaded? when it is empty shows that too. But is what's inside is just feed charge and the hours ***Edit*** Screens http://prntscr.com/89ny58http://prntscr.com/89nynm
|
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 28, 2015, 12:43:32 PM |
|
So the feed wont load even when it's enabled and contains items? You do have javascript enabled right?
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 29, 2015, 02:09:31 PM |
|
Well the feed seems to be working on my local installation so I'm not sure why it isn't working for you. I'll probably need to take a look at your website to figure it out.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 30, 2015, 10:08:20 AM |
|
Ok the feed.php page isn't showing anything so that must be the problem. Seems like the /inc/rss.inc file cannot be read for some reason, I'm guessing it is a permission error. To answer your question about permissions, all the folders should be set to 755 and all the files should be set to 644 or 744. In some cases you might also need to make sure that the files which need to be written to are owned by apache, the easiest way to do that is to allow PHP to create those files. The files which need to be written to include /inc/rss.inc, /inc/email_body.inc, /inc/feat_ids.inc, and all the config and log files in the inc and sci folders (if you're able to change the settings from within the admin area then the config files must be writable).
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 30, 2015, 03:54:07 PM Last edit: August 30, 2015, 04:23:44 PM by Pc3ooT |
|
I have adjusted the right way. The browser type view-source: uri. Then he showed me the contents. But on the home page simply nothing changes. http://prntscr.com/8amk0tthe problem may lie on apache2 version 2.4? http://prntscr.com/8amxcv
|
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
August 31, 2015, 07:25:22 AM Last edit: August 31, 2015, 08:25:22 AM by bitfreak! |
|
I had a closer look and it's actually an encoding problem causing the XML code to be invalid. Since you're using a language with unicode characters they are being encoded as html characters, which the rss feed doesn't seem to like. I'll upload a fixed version of BitShop shortly, I just want to fix one other bug first. For now you should be able to fix the feed by opening rss.inc and replacing all occurrences of ü with ü.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 31, 2015, 08:44:58 AM |
|
ohh yes its work now. Ok i have change in my Language für to fuer.
ThX
|
|
|
|
Pc3ooT
Newbie
Offline
Activity: 23
Merit: 0
|
|
August 31, 2015, 07:06:34 PM |
|
A request I would have there also still for the next version. Namely, the one in the admin area can change the account passwords! Since I festellen now repeatedly had to my server not on web.de sends the mails.
With the SMTP server I've even not yet business is a little intricacies that Strucktur
|
|
|
|
smokey999
Newbie
Offline
Activity: 1
Merit: 0
|
|
September 01, 2015, 07:36:45 PM |
|
when i use default Gateway and send the bitcoin i get the follow error: Status: Call to a member function query() on a non-object in /home/smokeyjo/public_html/lib/database.lib.php on line 146 http://prntscr.com/8bht3nSo what s wrong?
|
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
September 02, 2015, 11:25:36 PM |
|
@smokey999: That error means a database connection was not established. You may have downloaded a buggy version of 1.0.7 before I fixed it. Try downloading BitShop again and replace your files. I am also going to release v1.0.8 within the next 24 hours and it will contain a few more bug fixes as well as a fix for the CSRF vulnerability, so you might want to just wait until I release the next version.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
September 03, 2015, 02:33:53 PM |
|
Version 1.0.8 of BitShop has been released. It fixes a few bugs and CSRF vulnerabilities. It does not add any new features but it is highly recommended to apply this update as it will make BitShop more secure. Anyone with a BitShop key can download the new version in the client file area.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
SteamGamesBTC.com
|
|
September 03, 2015, 04:00:55 PM |
|
@bitfreak! You rocks! PS. Update the title of thread. ;-)
|
►SteamGamesBTC.com◄ > Automatic 24/7 bot: purchase any Steam game 20% cheaper with Bitcoin! <
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
September 03, 2015, 04:40:59 PM |
|
@bitfreak! You rocks! PS. Update the title of thread. ;-)
Thanks for reminding me. I have also added a new screenshot since the old one was a bit outdated.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
bitfreak! (OP)
Legendary
Offline
Activity: 1536
Merit: 1000
electronic [r]evolution
|
|
September 04, 2015, 11:11:34 AM |
|
@SteamGamesBTC.com: so have you updated BitShop to the latest version yet?
EDIT: Had a look at your website and you still seem to be running an old version. You really should update, the new version is better in almost every possible way.
|
XCN: CYsvPpb2YuyAib5ay9GJXU8j3nwohbttTz | BTC: 18MWPVJA9mFLPFT3zht5twuNQmZBDzHoWF Cryptonite - 1st mini-blockchain altcoin | BitShop - digital shop script Web Developer - PHP, SQL, JS, AJAX, JSON, XML, RSS, HTML, CSS
|
|
|
|