|
|
KingZee
Sr. Member
 Offline
Activity: 924
Merit: 452
Check your coin privilege
|
 |
August 10, 2016, 07:24:32 PM |
|
Asking for 1BTC for this potential SQL injection input :  Send the btc to 1KingZeeW97uLvngcUA3R6QJx18Fn78ddb, or let's use an escrow (My preference : Blazed) so I can send you the link, and the injection syntax and entry point. |
Beep boop beep boop
|
|
|
|
joey.rich (OP)
|
|
August 10, 2016, 08:08:42 PM |
|
Hi KingZee,
I had a problem where my VPS disk was full around the time you posted this, so I suspect that's what could have caused this error message. If it really is a SQL injection and you can demo how to replicate, I can send you 0.2 BTC.
|
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 924
Merit: 452
Check your coin privilege
|
|
August 10, 2016, 08:36:52 PM |
|
Hi KingZee,
I had a problem where my VPS disk was full around the time you posted this, so I suspect that's what could have caused this error message. If it really is a SQL injection and you can demo how to replicate, I can send you 0.2 BTC.
The error wasn't fixed, it's still up, it has nothing to do with your server's disk, it's in the webapp. This error compromises your whole database, I'm not obliged to give you the injection link, you can spend time and funds to find it yourself, or send me 1 BTC. |
Beep boop beep boop
|
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 924
Merit: 452
Check your coin privilege
|
|
August 10, 2016, 09:01:36 PM |
|
Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection. |
Beep boop beep boop
|
|
|
|
BilalHIMITE
|
|
August 10, 2016, 09:13:52 PM |
|
Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection. Yes, he doesn't understand that. I can send commands to the SQL, but I can't get data back. |
|
|
|
|
|
joey.rich (OP)
|
|
August 11, 2016, 08:22:28 AM
Last edit: August 11, 2016, 03:41:51 PM by joey.rich |
|
Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection. Yes, he doesn't understand that. I can send commands to the SQL, but I can't get data back. I've been writing web applications for a long time and certainly understand SQL injections. However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE). I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07cBilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty. |
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 924
Merit: 452
Check your coin privilege
|
|
August 11, 2016, 08:49:04 AM |
|
I've been writing web applications for a long time and certainly understand the risk of SQL injections aka the simplest exploit out there. However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE). I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07cBilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty. Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure. |
Beep boop beep boop
|
|
|
Joel_Jantsen
Legendary
Offline
Activity: 1876
Merit: 1308
Get your game girl
|
|
August 11, 2016, 09:51:20 AM
Last edit: August 11, 2016, 10:29:59 AM by Joel_Jantsen |
|
Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.
How about I fix that error for you @OP ? I can give you a solution to reject all the external access with the most "easiest" query out there ,like the one mentioned by KInzee.My pen testing tools are on the work!I should report you if I come across any more vulnerabilities! EDIT : Does ddos attacks counts ? |
|
|
|
|
|
Zoomer
|
|
August 11, 2016, 10:07:10 AM |
|
Would it not be a lot cheaper and maybe more safe if you try to hire a professional service for this?
I could be wrong but i think it's really the best and even quicker option since they also offer to fix the issues!
Because what if someone really find a big hole and he will keep it and not tell you, and then use it once there is a lot cash to steal?
|
|
|
|
|
|
BilalHIMITE
|
|
August 11, 2016, 02:14:33 PM |
|
Looks like another hole different from mine. But yes, all you need is time on your hand to drop all the info from his database down to the last password. If I had more time I'd definitely go through the injection and keep sending SQL requests till I find something that'll genuinely scare him, but I figured only finding the link would be enough for him. I don't think he understands the danger of an SQL injection. Yes, he doesn't understand that. I can send commands to the SQL, but I can't get data back. I've been writing web applications for a long time and certainly understand the risk of SQL injections aka the simplest exploit out there. However, it does appear that I neglected to correctly escape user-entered BTC addresses in this one case (ie the attack vector pointed out by BilalHIMITE). I have just fixed the issue: https://github.com/TeamEmpireCoin/empirecoin-web/commit/8cdd84c68e5cba5f6ad84489d917943bfc81a07cBilalHIMITE, please post or PM me your bitcoin address to receive the 0.1 BTC bounty. 15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG Sended a PM also. |
|
|
|
|
|
joey.rich (OP)
|
|
August 11, 2016, 03:55:12 PM |
|
Well good to know then. There's still an injection in the link I found. My offer still stands if you want to know the link. You also might want to salt or increase the security of the passwords you store, unsalted SHA-256 sent over an unencrypted request is not very secure.
How about I fix that error for you @OP ? I can give you a solution to reject all the external access with the most "easiest" query out there ,like the one mentioned by KInzee.My pen testing tools are on the work!I should report you if I come across any more vulnerabilities! EDIT : Does ddos attacks counts ? Thanks for the suggestion, I will implement salt & server side hashing soon. You are welcome to submit a PR if you'd like but I'm not willing to put a bounty for that change. DDOS is not eligible as it is not a vulnerability within the empirecoin-web source code. |
|
|
|
|
|
joey.rich (OP)
|
|
August 11, 2016, 03:57:49 PM |
|
15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG
Sended a PM also.
I have sent the 0.1 BTC, nice job finding this. |
|
|
|
|
|
BilalHIMITE
|
|
August 11, 2016, 04:20:25 PM |
|
15YnqdubKqeq3v7RVaV38Qk7FrvLpvZ5vG
Sended a PM also.
I have sent the 0.1 BTC, nice job finding this. Thanks joey.rich. Looking for more vulnerabilities. |
|
|
|
|
|
BilalHIMITE
|
|
August 11, 2016, 04:32:24 PM |
|
...I will implement salt & server side hashing soon. ...
I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing. Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark). |
|
|
|
|
Patatas
Legendary
Offline
Activity: 1750
Merit: 1115
Providing AI/ChatGpt Services - PM!
|
|
August 11, 2016, 04:51:08 PM |
|
...I will implement salt & server side hashing soon. ...
I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing. Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark). Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site! |
|
|
|
|
|
joey.rich (OP)
|
|
August 11, 2016, 05:08:30 PM |
|
...I will implement salt & server side hashing soon. ...
I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing. Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark). I will still keep the client side hashing but then hash & salt on server side. Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!
As we saw in the Heartbleed bug, encrypting with HTTPS is not necessarily secure; better to hash passwords on the client side first. My webhost does provide some DDOS protection, I'm not sure how much though. To handle DOS, this will soon be a P2P web app with many nodes. |
|
|
|
|
|
BilalHIMITE
|
|
August 11, 2016, 05:26:52 PM |
|
...I will implement salt & server side hashing soon. ...
I highly recommend you to use secure connection (HTTPS) on your website in case you're planning to implement server side hashing. Because password will be sent in plain text, and can easily be detected by network protocol analyzers (e.g. wireshark). I will still keep the client side hashing but then hash & salt on server side. Wireshark won't detect the passwords if it is converted to hashes after the onsubmit event.Though there is no need to use HTTPS for that specific purpose,you can use it for 100 other reasons anyway.On a side note,do implement DDos preventing mechanisms.What's the point of making your website 100% accurate when it just won't take the load of the bots ? Trust me,Ddos is one of the most often and primary attacks to take down your site!
As we saw in the Heartbleed bug, encrypting with HTTPS is not necessarily secure; better to hash passwords on the client side first. My webhost does provide some DDOS protection, I'm not sure how much though. To handle DOS, this will soon be a P2P web app with many nodes. You can use Cloudflare for DDOS protection, SSL (HTTPS), and Powerful stats about your visitors. Starting from $0. |
|
|
|
|
KingZee
Sr. Member
Offline
Activity: 924
Merit: 452
Check your coin privilege
|
|
August 11, 2016, 06:36:32 PM |
|
I guess you really don't care about the SQL injection vector that's still up. Or you think I'm joking. Suit yourself.
|
Beep boop beep boop
|
|
|
|
