ius
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 11, 2011, 04:26:15 PM |
|
Unfortunately, a quick audit of the source code reveals that many secure coding practices were incorrectly and inconsistenly applied or neglected completely. Running this frontend in it's current state is not safe (to say the least - you could end up losing your users' data and bitcoins).
|
|
|
|
Jine
|
|
June 11, 2011, 04:56:07 PM |
|
I totally agree with ius on this matter.
--
Regards, Jim
|
Previous founder of Bit LC Inc. | I've always loved the idea of bitcoin.
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 05:32:02 PM |
|
Well, it's open source, rather than just saying it's unsafe, why not pm me with the issues you see.
I'm not a php dev, and this is the first php project I've done in about 8 years. I write enterprise .net apps for a living, and that's a whole different ballgame.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 11, 2011, 06:18:34 PM Last edit: June 11, 2011, 06:52:39 PM by genewitch |
|
i noticed that there wasn't much in the way of input sanitizing, but that was at a cursory glance and not being an expert on such things. I will install phpmyadmin to edit the database so i don't have to use sql to do it. Thanks for the tip.
I'm hoping that pushpool will work on Natty, today. :-)
edit: please advise. Do i set the pushpool databasename to the same one simplecoin is using or are they seperate databases? IE i call my database simcoi for simplecoin, should i make another database called ppool for pushpool or point it at simcoi?
Ok i think i have to go talk to pushpool people now. Thanks for bearing with me :-)
|
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 07:06:41 PM |
|
i noticed that there wasn't much in the way of input sanitizing, but that was at a cursory glance and not being an expert on such things. I will install phpmyadmin to edit the database so i don't have to use sql to do it. Thanks for the tip.
I'm hoping that pushpool will work on Natty, today. :-)
edit: please advise. Do i set the pushpool databasename to the same one simplecoin is using or are they seperate databases? IE i call my database simcoi for simplecoin, should i make another database called ppool for pushpool or point it at simcoi?
Ok i think i have to go talk to pushpool people now. Thanks for bearing with me :-)
np. The input should be somewhat sanitized by mysql_escape
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
ius
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 11, 2011, 07:10:18 PM |
|
I'm not a php dev, and this is the first php project I've done in about 8 years.
I value the open source spirit and like what you're doing (the idea behind it), but if you're unsure about your capabilities of publishing/writing/maintaining safe PHP code, then add a disclaimer or find someone willing to maintain/audit your work. Besides, SQL injection and XSS aren't isolated to just PHP.. People could lose user data and/or bitcoins (and more), and will then blame you/simplecoin.. Check your PM for some details.
|
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 11, 2011, 07:36:17 PM |
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
edit: i ran all the cronjob/*.php stuff just to make sure.
|
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 07:36:55 PM |
|
I'm not a php dev, and this is the first php project I've done in about 8 years.
I value the open source spirit and like what you're doing (the idea behind it), but if you're unsure about your capabilities of publishing/writing/maintaining safe PHP code, then add a disclaimer or find someone willing to maintain/audit your work. Besides, SQL injection and XSS aren't isolated to just PHP.. People could lose user data and/or bitcoins (and more), and will then blame you/simplecoin.. Check your PM for some details. Got it, will definitely fix the holes you recommended and add a disclaimer, thank you for your input.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 07:37:38 PM |
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
sounds like the workers.php cronjob isn't running. this updates that stat.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 09:16:12 PM |
|
Update to source: bug fix on adminPanel. Some security fixes in place such as anti XSS injection and additional sql escaping.
Security fixes are untested, but I thought I should include them before calling it a day.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 11, 2011, 10:36:14 PM |
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
sounds like the workers.php cronjob isn't running. this updates that stat. Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa, because my worker is connected and has done 800 shares, but neither the main hasrate nor my account details have any indication that any work has been done - IE no payment. Is there something i am missing? there's no documentation for any of this stuff!!!
|
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 10:43:47 PM |
|
The php pages aren't showing any worker stats even though a worker is connected to the pushpoold backend using the username and password set on the account details page. Did i screw a database step up?
sounds like the workers.php cronjob isn't running. this updates that stat. Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa, because my worker is connected and has done 800 shares, but neither the main hasrate nor my account details have any indication that any work has been done - IE no payment. Is there something i am missing? there's no documentation for any of this stuff!!! Ah, pushpool & simplecoin should be using the same database.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 11, 2011, 10:47:25 PM Last edit: June 11, 2011, 11:01:27 PM by genewitch |
|
The php pages aren't showing any worker stats
sounds like the workers.php cronjob isn't running. Nah, it's like the database for pushpool can't see the database for simplecoin and vice versa Ah, pushpool & simplecoin should be using the same database. they are, i called it sc and a user called pushpool was granted all permissions on it. Both simplecoin and pushpool use 'pushpool'@'localhost' as the database login, and i know pushpool can see the database because it allows my worker to login via -u genewitch.1 --pass=x. what actually has the accounting, pushpool? Maybe i can dig through your PHP to see where the accounting database calls are and try the queries in a mysql prompt to see if there are the correct values in there. If you need any of my json or config files i can provide them. Thanks for helping me, by the way. I'm setting this up for #xkcd on foonetic. :-) mysql> show tables; +----------------+ | Tables_in_sc | +----------------+ | accountBalance | | networkBlocks | | pool_worker | | settings | | shares | | shares_history | | webUsers | +----------------+ 7 rows in set (0.00 sec)
mysql> select * from sc.accountBalance; +----+--------+---------+------------------------------------+------+-----------+ | id | userId | balance | sendAddress | paid | threshold | +----+--------+---------+------------------------------------+------+-----------+ | 1 | 1 | 0 | 1CfUcB7yKKWpco3BPjzHjveyrR1rBmvmEp | 0 | 0 | +----+--------+---------+------------------------------------+------+-----------+ 1 row in set (0.00 sec)
mysql> select * from sc.shares; Empty set (0.00 sec)
mysql> select * from sc.shares_history; Empty set (0.00 sec)
Edit: hey, am i supposed to add anything to pushpool to take care of accounting? like add sql commands somewhere or something? Or does simplecoin use logs to determine shares and activity and set the mysql stuff itself? I know all the frontend (for payments) is NOT handled by pushpool stock install, so maybe i missed a step where i move a config file from simplecoin to somewhere else. I did run mysql sc <simplecoin.sql
|
|
|
|
simplecoin (OP)
|
|
June 11, 2011, 11:03:38 PM |
|
right, pushpool uses the shares & pool_worker tables and should share them with simplecoin.
If you want, you could in theory remove shares & pool_worker from the sc database
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 11, 2011, 11:36:59 PM |
|
right, pushpool uses the shares & pool_worker tables and should share them with simplecoin.
If you want, you could in theory remove shares & pool_worker from the sc database
Right, sc.pool_worker is sort of working as intended, as my worker can log in with genewitch.1 and x as the password. But you see how the active and hashrate aren't set? What sets those? pushpool? Do i have to code that logic myself? mysql> select * from sc.pool_worker; +----+------------------+-------------+----------+--------+----------+ | id | associatedUserId | username | password | active | hashrate | +----+------------------+-------------+----------+--------+----------+ | 1 | 1 | genewitch.1 | x | 0 | 0 | +----+------------------+-------------+----------+--------+----------+ 1 row in set (0.00 sec)
and shares is empty, is pushpool supposed to populate this? the reason i ask is i can go pester the pushpool developers :-) mysql> select * from sc.shares; Empty set (0.00 sec)
|
|
|
|
simplecoin (OP)
|
|
June 12, 2011, 12:36:57 AM |
|
yes, pushpool fills shares, gets worker info from pool_worker.
sc fills the rest with cronjobs & user input.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 12, 2011, 03:32:43 AM |
|
hey you updated the git repo while i was making a patch: http://paste.ubuntu.com/624849/or 55c55 < $authPin = (int) $_POST["authPin"]; --- > $authPin = (string) $_POST["authPin"]; 89c89 < if(!is_int($authPin)){ --- > if(!is_numeric($authPin)){
in register.php This makes it so your pin can start with zero. or 2 zeros. or 3. this affected 2 out of three people on my new pool already :-p
|
|
|
|
gigabytecoin
|
|
June 12, 2011, 06:37:04 AM |
|
Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
|
|
|
|
genewitch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 12, 2011, 07:15:36 AM |
|
Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
most likely. and the owner is AFK (he mentioned this might happen and apologized)
|
|
|
|
simplecoin (OP)
|
|
June 12, 2011, 04:28:17 PM |
|
Is simplecoin.us being ddos'd? I can't access it and haven't been able to for the last 2 hours.
It was being ddos'd, I took it down to fix Now that it is down, I'm going to take a few extra days to lock my server down. The site will be up before the pool, and I'm thinking about creating a testnet site for demoing/testing the newer versions.
|
Donations: 1VjGJHPtLodwCFBDWsHJMdEhqRcRKdBQk
|
|
|
|