🎄 FaucetSystem.com / CryptoBara.com 🎄

[hoop]

  This is good news for the launch of this service, The existence of this service before the other closure useful step
   
  for faucet owners and users.

I wish you all the best for the new project.

[arcanaaerobics]

Good to see that faucethub will have an "rival", I saw people here talking about problems and well, maybe you should make it all perfect before launching to avoid this kind of comments however seems like you are working in all questions that people asked here, so good luck with your project!

[felicita]

EDIT:
my faucet is selfmade can you give me some startup how to send a payment with your api ?

$pay = new FaucetSystem($api_key, $currency);
$pay ->send($to, $user['balance']);

Replace 'faucetbox.com' by 'faucetsystem.com' in your scripts and enjoy.

where to edit faucetsystem.com ?


iam using this for faucetbox payments


$pay = new FaucetBox($api_key, $currency);
$pay ->send($to, $user['balance']);


and they provided a php class for this ....

can i use the same class ?=?


can you explan a bit more i dont understand how to implement your system.



kind regards

[Kazuldur]

EDIT:
my faucet is selfmade can you give me some startup how to send a payment with your api ?

$pay = new FaucetSystem($api_key, $currency);
$pay ->send($to, $user['balance']);

Replace 'faucetbox.com' by 'faucetsystem.com' in your scripts and enjoy.

where to edit faucetsystem.com ?


iam using this for faucetbox payments


$pay = new FaucetBox($api_key, $currency);
$pay ->send($to, $user['balance']);


and they provided a php class for this ....

can i use the same class ?=?


can you explan a bit more i dont understand how to implement your system.



kind regards

Open the faucetbox.php file that you got from FaucetBOX.com and replace all "faucetbox.com" text in that file with "faucetsystem.com".

[Kazuldur]

1. it defaults to HTTP on the website

I will totally remove HTTP

Good to hear that

2. it does support HTTPS, but it's a free certificate from CloudFlare, so I bet they're using the "Flexible SSL" setting. That means that connection is only encrypted between you and CloudFlare, but then it's unencrypted plaintext between CloudFlare and FaucetSystem.com servers.

FULL, but self-signed

That's only a little bit better. Please use a valid certificate and "strict" option on CloudFlare. You can get free, really nice certificate from LetsEncrypt.

3. they use HTTP endpoints in their libs for migrating Faucet in a BOX script

solved

There are still some problems here.

1. "http://faucetsystem.com/check/" instead of "https://faucetsystem.com/check" is used as a base for balance check for users
2. in "update_faucetinabox_r66_plus" you set 'verify_peer' => false in services.php. That breaks all security, you can just as well use plain http. What's more, setting it like that in services.php means that it applies to all services, not just your FaucetSystem.com!

4. their login form is vulnerable to brute-force attacks
5. no password reset?
6. "I agree to terms and conditions" checkbox, but there's no link to terms anywhere
7. fees for users (not just owners deposits), that doesn't seem to be mentioned anywhere on the site, only here on forum

Several days and im fixing it

8. there are CSRF vulnerabilities on all forms! That's critical! It means that if someone can compell you to click anything on a random site while you're logged to FaucetSystem.com, they can do pretty much any action on your account. Imagine that someone asks you to check his faucet, you click "Claim" on their faucet and suddenly API keys of all your own faucets are disabled! I think that only password changing is protected (as it requires providing old password).

solved
Thanks, Kazuldur.

Nice! . With CSRF fixed we'll probably add FaucetSystem.com support officially in next Faucet in a BOX version

EDIT:
Seems like ePay.info is going to be free: https://bitcointalk.org/index.php?topic=1149545.new;topicseen#new . Are you going to compete with that in any way?

[BTCforJoe]

Will I be able to withdraw my earnings without having to create an account?

[~Bitcoin~]

Looks like faucet script is running without any issue claimed at http://biciklo.xyz/

Add bad ip blocking with refund payments

This sound really useful, refund payments may create lots of confusion as well as may add lots of manual work for administration team.

[FaucetSystem.com]

1. "http://faucetsystem.com/check/" instead of "https://faucetsystem.com/check" is used as a base for balance check for users
2. in "update_faucetinabox_r66_plus" you set 'verify_peer' => false in services.php. That breaks all security, you can just as well use plain http. What's more, setting it like that in services.php means that it applies to all services, not just your FaucetSystem.com!

Solved.
Thanks for your advice and suggestions, Kazuldur.

Will I be able to withdraw my earnings without having to create an account?

Yes

This sound really useful, refund payments may create lots of confusion as well as may add lots of manual work for administration team.

Bot owners will be really confused.

[freebitcoins4u]

only 1 faucet on the list.......

[FaucetSystem.com]

AntibotInside

We save your money

Download: FS_faucet_v2 script with AntibotInside integration

Demo #1: http://faucet.faucetsystem.com/
Demo #2: http://biciklo.xyz/

Requirements: PHP (5.6+ with standart extension: pdo, curl and etc), Apache with mod_rewrite, MySQL.
Licence: Free

Features:

• Original Antibot captcha: https://faucetsystem.com/img/fs/f2.png
• Integration with FaucetSystem AntibotInside
• Detecting user country (you can set special coefficients or ban certain country): https://faucetsystem.com/img/fs/f7.png
• Captcha: reCAPTCHA, Solve media or both
• Jackpot module

Installation guide:
1) Download the faucet script and unzip downloaded archive.
2) Create a MySQL database.
3) Import a SQL dump (dump.sql in archive) file to mysql (you can use phpMyAdmin to import a SQL dump file into your MySQL database).
4) Edit config.php (you can open and edit it using a plain text editor program like Notepad).
5) Upload all files from the directory to your server's public directory.
6) To grant the Apache web server write permissions for the "tmp" directory.
7) Open your website and go to Admin Zone (defaul login: admin, default password: admin).

[Cassielvandisse]

Just now send a deposit to start faucet business with you . 
I really like your faucet . 

[Kazuldur]

Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?

[FaucetSystem.com]

Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?

Yes. It's a first phase.
Second: adding statistical analysis.

[Kazuldur]

There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:

            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:

curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.

Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?

Yes. It's a first phase.
Second: adding statistical analysis.

Thanks, we'll add it when integrating in Faucet in a BOX.

[Kazuldur]

One more thing (sorry for spam).

I've checked the postClaimThird method in Guest controller, and it seems that you don't check if captcha was actually correctly solved in postClaimSecond. You don't store it in session anywhere and you don't check it in postClaimThird. That means that I can just record what request is made on postClaimThird and then send requests directly to it, skipping the postClaimSecond part. Combine that with blindly trusting user headers and I can:

1. bypass captcha
2. bypass timer (by changing to fake IP addresses)
3. bypass your antibot (by changing to fake IP addresses)

I didn't test it though, so I may missed some protection, but you should take a look at this.

EDIT: maybe focus on security, not features for now

[FaucetSystem.com]

row 160

Code:

 \Session::set('lc', md5(Secure::getRandomString(10)));

Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.
Receiving ip address is painful issue.

[grosminer]

There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:

            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:

curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.

Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..

[Kazuldur]

row 160

Code:

 \Session::set('lc', md5(Secure::getRandomString(10)));

Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.

I'm not convinced. That covers your "Logical captcha". What if owner disabled it and is only using reCaptcha/SolveMedia?

Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..

It's too early for it to have a big impact (it was released just a few hours ago) and these are so obvious that people have to be aware that there are serious security issues with FaucetSystem.com right now. And I also think it's good to show that the admin is open for reports and fixes them quickly. It's a good PR if he handles it correctly

[BTCforJoe]

There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:

            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:

curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.

Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..

It's not a bad idea, as long as the security flaw gets fixed. I, for one, love the transparency that Kaz is providing. It's rare to get support from such an expert, especially for free.

For now, it just means that the transparency shows that there are security flaws with FaucetSystem. Good to know so early on.

[grosminer]

Well.. i think that it's a good idea to report vulnerabilities but not publish the technical details to everyone..
People with working faucet bots don't come here and share their code right? (Or if they do they'll get deleted ass soon as mod find it)

my opinion