[CLOSED] CoinLenders

[ranlo]

You can't say you didn't do this to yourself. Enjoy your red text!


Snippet from CoinLenders source:

Code:

function userRegister($username, $email, $legalname, $password1, $password2){
	global $mysqli;
	global $passwordSalt;

	$username = $mysqli->real_escape_string($username);
	$email = $mysqli->real_escape_string($email);
	$legalname = $mysqli->real_escape_string($legalname);
	
	if($password1 !== $password2){
		return "passmismatch";
	}
	if(strlen($password1) < 8){
		return "passshort";
	}
	$password = hash("SHA256", $passwordSalt . $password1);

[..]

As you can clearly see, passwords are hashed and salted.

Little off-topic but shouldn't it be

if($password1 != $password2) { //stuff here}

??

Still a newbie at PHP but I learn as I go, :p.

[1715373790]

1715373790

[1715373790]

1715373790

[1715373790]

1715373790

[🏰 TradeFortress 🏰]

Little off-topic but shouldn't it be

if($password1 != $password2) { //stuff here}

??

Still a newbie at PHP but I learn as I go, :p.

Nah. PHP is a weakly typed language.

According to PHP:

NULL  == false
false == 0

So what's the problem?

echo '000000' == '000'; -- 1 (true)

Which means that if someone types the password 00000000 and 000, == (!=) would say they are equal, but === (!==) would not.

[🏰 TradeFortress 🏰]

Well this starting to look like pirateat40. If your doing nothing wrong then you should certainly be able to keep your cool and prove me wrong, one function doesn't do that sorry.

What do you think a function showing I am hashing passwords prove with salting?

Anyway, he's just here because he wants to spread FUD about me - but there's tools to defend about that, because spreading FUD is untrustworthy.

[ranlo]

Little off-topic but shouldn't it be

if($password1 != $password2) { //stuff here}

??

Still a newbie at PHP but I learn as I go, :p.

Nah. PHP is a weakly typed language.

According to PHP:

NULL  == false
false == 0

So what's the problem?

echo '000000' == '000'; -- 1 (true)

Which means that if someone types the password 00000000 and 000, == (!=) would say they are equal, but === (!==) would not.

That's immensely helpful actually. So basically what you're saying is that !== means "even if they are equal in value, they have to be a perfect match," right? So that would also mean that if you did 5+9 != 6+3 it would be different than 5+9 !== 6+3?

[🏰 TradeFortress 🏰]

== and != means they are equal
=== and !== means they are identical

For ==, if something isn't identical, PHP will try and make them equal by converting in types. For example, by converting the string '00000' into the number zero, and '000000000' into the number zero, which matches.

For your specific example (5+9 != 6+3), PHP will first work out the values of the left hand and right hand side (9) and then compare if 9 is equal in value to 9.

Also, @gweedo if you still think I suck at web development theymos can attain to the fact that I reported a vulnerability that gives me powers reserved by moderators earlier today

[ranlo]

== and != means they are equal
=== and !== means they are identical

For ==, if something isn't identical, PHP will try and make them equal by converting in types. For example, by converting the string '00000' into the number zero, and '000000000' into the number zero, which matches.

For your specific example (5+9 != 6+3), PHP will first work out the values of the left hand and right hand side (9) and then compare if 9 is equal in value to 9.

Ahh, thanks a lot! I'll quit filling up your thread now, :p. It was just odd to see that as I haven't (though I am limited on my PHP knowledge) ever seen it like that before, lol.

[🏰 TradeFortress 🏰]

It was just odd to see that as I haven't (though I am limited on my PHP knowledge) ever seen it like that before, lol.

So is gweedo

@gweedo, do you want me to bring up the critique of your coding skills someone did in the newbie section and pointed out like 8 flaws?

Also, I found a vulnerability on your website in about 2 minutes. Just saying.

[🏰 TradeFortress 🏰]

You're the one who spread FUD about me, I'm just doing the same except I'm not making things up unlike you

[🏰 TradeFortress 🏰]

Please provide me with a written & signed contract to pentest your site and I will post the vulnerabilities.

I don't think anyone will hire you as a programmer anymore after that through.

The icon for this message, which is reserved for moderators and administrators, is just a testament to my web dev & security skills (try doing the same and failing )

[🏰 TradeFortress 🏰]

Yeah, I can see why you want to protect your reputation even through you code vulnerable sites.

While wanting the full source code and database of coinlenders as proof. Also, my challenge for you to do the red icon still stands (create a new thread, this is about coinlenders).

[🏰 TradeFortress 🏰]

VIP can't make red icons. Only moderators and admins are supposed to. Move to a new topic if you want to talk about that.

Just so people know, I've already shown I hash and salt your passwords for CoinLenders (it's actually hashed twice, once at your client and once on the server). gweedo is just spreading FUD.

Also, keep in mind that CoinLenders and Inputs.io are one of the very few Bitcoin sites that handles more than 10k BTC and hasn't been hacked. A lot others have been - some of them I found vulnerabilities in them myself (and reported of course).

[🏰 TradeFortress 🏰]

That's for coinchat, not CoinLenders. I posted proof that CoinLenders does hash and salt.

In fact check the client JS, it's hashed right in your browser.

Just more FUD from gweedo as usual.

[🏰 TradeFortress 🏰]

That's for coinchat, not CoinLenders. I posted proof that CoinLenders does hash and salt.

In fact check the client JS, it's hashed right in your browser.

Just more FUD from gweedo as usual.

[🏰 TradeFortress 🏰]

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

[🏰 TradeFortress 🏰]

It's out of context because I do hash passwords. I said that in that thread. However, you don't include that portion, which makes people think I don't hash passwords (when I do).

[🏰 TradeFortress 🏰]

You're the one who has been attacking me and who started all this

[🏰 TradeFortress 🏰]

More lies from you. I do hash and salt my passwords (sha256 + salt, or bcrypt + user unique salt).

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

[matt4054]

OK, so CoinChat doesn't salt passwords. It means that if an attacker gets access to the CoinChat user database, he will be able to lookup hashes in rainbow tables and find cleartext of obvious, dictionary and otherwise weak passwords. That certainly isn't "best practice compliant", but since CoinLenders is not affected, isn't it a bit off topic here?

I think we have all taken good note that TF and gweedo aren't best friends, but this is getting ridiculous IMHO

[🏰 TradeFortress 🏰]

OK, so CoinChat doesn't salt passwords. It means that if an attacker gets access to the CoinChat user database, he will be able to lookup hashes in rainbow tables and find cleartext of obvious, dictionary and otherwise weak passwords. That certainly isn't "best practice compliant", but since CoinLenders is not affected, isn't it a bit off topic here?

I think we have all taken good note that TF and gweedo aren't best friends, but this is getting ridiculous IMHO

Especially with him wanting the database for CoinLenders. Like lol.

CoinLenders now hashes passwords with a user unique salt. The entropy for the randomly generated salt is from /dev/urandom, which is good for most cryptographic purposes but still not as good as /dev/random. CL didn't use /dev/random at the start because it is blocking and that's not practical for a site with thousands of users.

Soon, when you sign into CoinLenders your password will be resalted with random bits from /dev/random.

[vlees]

How stupid can one be to not read the difference between CoinChat and CoinLenders.

One thing I noticed though is that I saw that the salt is a global variable in CoinLenders -> the salt is the same for everyone? -> if the database leaks the attacker can find people having the same password easily since the sha256 of (salt.pwd) is the same for everyone when pwd1 === pwd2