Bitcoin Forum
March 29, 2024, 12:19:05 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: [Pushpool Web Frontend] Simplecoin v5.0 Opensource PHP/MySQL - NEW RELEASE  (Read 57138 times)
ius
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 11, 2011, 04:26:15 PM
 #21

Unfortunately, a quick audit of the source code reveals that many secure coding practices were incorrectly and inconsistenly applied or neglected completely. Running this frontend in it's current state is not safe (to say the least - you could end up losing your users' data and bitcoins).
The Bitcoin software, network, and concept is called "Bitcoin" with a capitalized "B". Bitcoin currency units are called "bitcoins" with a lowercase "b" -- this is often abbreviated BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711671545
Hero Member
*
Offline Offline

Posts: 1711671545

View Profile Personal Message (Offline)

Ignore
1711671545
Reply with quote  #2

1711671545
Report to moderator
1711671545
Hero Member
*
Offline Offline

Posts: 1711671545

View Profile Personal Message (Offline)

Ignore
1711671545
Reply with quote  #2

1711671545
Report to moderator
1711671545
Hero Member
*
Offline Offline

Posts: 1711671545

View Profile Personal Message (Offline)

Ignore
1711671545
Reply with quote  #2

1711671545
Report to moderator
Jine
Sr. Member
****
Offline Offline

Activity: 403
Merit: 250


View Profile
June 11, 2011, 04:56:07 PM
 #22

I totally agree with ius on this matter.

--

Regards, Jim

Previous founder of Bit LC Inc. | I've always loved the idea of bitcoin.
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 05:32:02 PM
 #23

Well, it's open source, rather than just saying it's unsafe, why not pm me with the issues you see.

I'm not a php dev, and this is the first php project I've done in about 8 years. I write enterprise .net apps for a living, and that's a whole different ballgame.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 11, 2011, 06:18:34 PM
Last edit: June 11, 2011, 06:52:39 PM by genewitch
 #24

i noticed that there wasn't much in the way of input sanitizing, but that was at a cursory glance and not being an expert on such things.
I will install phpmyadmin to edit the database so i don't have to use sql to do it. Thanks for the tip.

I'm hoping that pushpool will work on Natty, today. :-)

edit: please advise. Do i set the pushpool databasename to the same one simplecoin is using or are they seperate databases? IE i call my database simcoi for simplecoin, should i make another database called ppool for pushpool or point it at simcoi?

Ok i think i have to go talk to pushpool people now. Thanks for bearing with me :-)
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 07:06:41 PM
 #25

i noticed that there wasn't much in the way of input sanitizing, but that was at a cursory glance and not being an expert on such things.
I will install phpmyadmin to edit the database so i don't have to use sql to do it. Thanks for the tip.

I'm hoping that pushpool will work on Natty, today. :-)

edit: please advise. Do i set the pushpool databasename to the same one simplecoin is using or are they seperate databases? IE i call my database simcoi for simplecoin, should i make another database called ppool for pushpool or point it at simcoi?

Ok i think i have to go talk to pushpool people now. Thanks for bearing with me :-)

np. The input should be somewhat sanitized by mysql_escape

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
ius
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 11, 2011, 07:10:18 PM
 #26

I'm not a php dev, and this is the first php project I've done in about 8 years.

I value the open source spirit and like what you're doing (the idea behind it), but if you're unsure about your capabilities of publishing/writing/maintaining safe PHP code, then add a disclaimer or find someone willing to maintain/audit your work. Besides, SQL injection and XSS aren't isolated to just PHP..

People could lose user data and/or bitcoins (and more), and will then blame you/simplecoin..

Check your PM for some details.
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 11, 2011, 07:36:17 PM
 #27

The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?

edit: i ran all the cronjob/*.php stuff just to make sure.
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 07:36:55 PM
 #28

I'm not a php dev, and this is the first php project I've done in about 8 years.

I value the open source spirit and like what you're doing (the idea behind it), but if you're unsure about your capabilities of publishing/writing/maintaining safe PHP code, then add a disclaimer or find someone willing to maintain/audit your work. Besides, SQL injection and XSS aren't isolated to just PHP..

People could lose user data and/or bitcoins (and more), and will then blame you/simplecoin..

Check your PM for some details.

Got it, will definitely fix the holes you recommended and add a disclaimer, thank you for your input.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 07:37:38 PM
 #29

The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?

sounds like the workers.php cronjob isn't running. this updates that stat.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 09:16:12 PM
 #30

Update to source:
bug fix on adminPanel.
Some security fixes in place such as anti XSS injection and additional sql escaping.


Security fixes are untested, but I thought I should include them before calling it a day.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 11, 2011, 10:36:14 PM
 #31

The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?

sounds like the workers.php cronjob isn't running. this updates that stat.

Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa, because my worker is connected and has done 800 shares, but neither the main hasrate nor my account details have any indication that any work has been done - IE no payment. Is there something i am missing? there's no documentation for any of this stuff!!!
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 10:43:47 PM
 #32

The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?

sounds like the workers.php cronjob isn't running. this updates that stat.

Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa, because my worker is connected and has done 800 shares, but neither the main hasrate nor my account details have any indication that any work has been done - IE no payment. Is there something i am missing? there's no documentation for any of this stuff!!!

Ah, pushpool & simplecoin should be using the same database.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 11, 2011, 10:47:25 PM
Last edit: June 11, 2011, 11:01:27 PM by genewitch
 #33

The php pages aren't showing any worker stats
sounds like the workers.php cronjob isn't running.
Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa
Ah, pushpool & simplecoin should be using the same database.
they are, i called it sc and a user called pushpool was granted all permissions on it. Both simplecoin and pushpool use 'pushpool'@'localhost' as the database login, and i know pushpool can see the database because it allows my worker to login via -u genewitch.1 --pass=x.
what actually has the accounting, pushpool? Maybe i can dig through your PHP to see where the accounting database calls are and try the queries in a mysql prompt to see if there are the correct values in there. If you need any of my json or config files i can provide them.

Thanks for helping me, by the way. I'm setting this up for #xkcd on foonetic. :-)
Code:
mysql> show tables;
+----------------+
| Tables_in_sc   |
+----------------+
| accountBalance |
| networkBlocks  |
| pool_worker    |
| settings       |
| shares         |
| shares_history |
| webUsers       |
+----------------+
7 rows in set (0.00 sec)

mysql> select * from sc.accountBalance;
+----+--------+---------+------------------------------------+------+-----------+
| id | userId | balance | sendAddress                        | paid | threshold |
+----+--------+---------+------------------------------------+------+-----------+
|  1 |      1 | 0       | 1CfUcB7yKKWpco3BPjzHjveyrR1rBmvmEp | 0    |         0 |
+----+--------+---------+------------------------------------+------+-----------+
1 row in set (0.00 sec)

mysql> select * from sc.shares;
Empty set (0.00 sec)

mysql> select * from sc.shares_history;
Empty set (0.00 sec)

Edit: hey, am i supposed to add anything to pushpool to take care of accounting? like add sql commands somewhere or something? Or does simplecoin use logs to determine shares and activity and set the mysql stuff itself? I know all the frontend (for payments) is NOT handled by pushpool stock install, so maybe i missed a step where i move a config file from simplecoin to somewhere else. I did run mysql sc <simplecoin.sql
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 11, 2011, 11:03:38 PM
 #34

right, pushpool uses the shares & pool_worker tables and should share them with simplecoin.

If you want, you could in theory remove shares & pool_worker from the sc database

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 11, 2011, 11:36:59 PM
 #35

right, pushpool uses the shares & pool_worker tables and should share them with simplecoin.

If you want, you could in theory remove shares & pool_worker from the sc database

Right, sc.pool_worker is sort of working as intended, as my worker can log in with genewitch.1 and x as the password. But you see how the active and hashrate aren't set? What sets those? pushpool?
Do i have to code that logic myself?
Code:
mysql> select * from sc.pool_worker;
+----+------------------+-------------+----------+--------+----------+
| id | associatedUserId | username    | password | active | hashrate |
+----+------------------+-------------+----------+--------+----------+
|  1 |                1 | genewitch.1 | x        |      0 |        0 |
+----+------------------+-------------+----------+--------+----------+
1 row in set (0.00 sec)

and shares is empty, is pushpool supposed to populate this? the reason i ask is i can go pester the pushpool developers :-)
Code:
mysql> select * from sc.shares;
Empty set (0.00 sec)

simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 12, 2011, 12:36:57 AM
 #36

yes, pushpool fills shares, gets worker info from pool_worker.

sc fills the rest with cronjobs & user input.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 12, 2011, 03:32:43 AM
 #37

hey you updated the git repo while i was making a patch:

http://paste.ubuntu.com/624849/

or
Code:
55c55
< $authPin = (int) $_POST["authPin"];
---
> $authPin = (string) $_POST["authPin"];
89c89
< if(!is_int($authPin)){
---
> if(!is_numeric($authPin)){

in register.php

This makes it so your pin can start with zero. or 2 zeros. or 3. this affected 2 out of three people on my new pool already :-p
gigabytecoin
Sr. Member
****
Offline Offline

Activity: 280
Merit: 252


View Profile
June 12, 2011, 06:37:04 AM
 #38

Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
genewitch
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 12, 2011, 07:15:36 AM
 #39

Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
most likely. and the owner is AFK (he mentioned this might happen and apologized)
simplecoin (OP)
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250



View Profile WWW
June 12, 2011, 04:28:17 PM
 #40

Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.

It was being ddos'd, I took it down to fix Wink Now that it is down, I'm going to take a few extra days to lock my server down. The site will be up before the pool, and I'm thinking about creating a testnet site for demoing/testing the newer versions.

Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!