Bitcoin Forum
April 24, 2024, 03:01:05 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Mining > Pools > Vulnerability in mmcFE Manual Withdrawal Logic
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Vulnerability in mmcFE Manual Withdrawal Logic  (Read 1894 times)
the1silverwolf (OP)
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile
June 09, 2013, 06:00:52 AM
 #1
To: Any pool operator using mmcFE or any one of a dozen derivative forks.

A vulnerability has been discovered in the Manual Withdrawal logic that can allow Withdrawals to be duplicated.

The vulnerability is in accountdetails.php.

Essentially firing off several withdrawal requests in less than a second can sometimes allow multiple withdrawals to be processed.

Resulting in duplicate payments being sent before the first one completes and the users account balance is set to 0.

You should disable manual withdrawal until you can code a work around.

Details here : https://bitcointalk.org/index.php?topic=228419.msg2416246#msg2416246

Moderator : you might want to make this thread a sticky as there are tons of pools based upon this code.
--
the1silverwolf
Be very wary of relying on JavaScript for security on crypto sites. The site can change the JavaScript at any time unless you take unusual precautions, and browsers are not generally known for their airtight security.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1225


Away on an extended break


View Profile
June 09, 2013, 07:15:44 AM
 #2
Stickied for the time being.
NetcodePool
Full Member
***
Offline Offline

Activity: 147
Merit: 100



View Profile
June 14, 2013, 09:23:36 PM
 #3
Check your ledger for debit_atp.   You may find double payments there as well.
netcodepool.org
bernard75
Legendary
*
Offline Offline

Activity: 1316
Merit: 1003



View Profile
June 15, 2013, 09:25:51 PM
 #4
Wow, thats some serious shit.
fcmatt
Legendary
*
Offline Offline

Activity: 2072
Merit: 1001


View Profile
June 26, 2013, 02:15:27 AM
 #5
Here is a quick fix that i posted in this thread.
one might want to clean it up a bit so you do not reuse variable names but it does work fine.

https://bitcointalk.org/index.php?topic=239207.msg2533156#msg2533156
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1225


Away on an extended break


View Profile
July 05, 2013, 05:15:36 PM
 #6
I guess it should be pretty much seen and solved by all pool OP's by now. Unstickied for the time being.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Mining > Pools > Vulnerability in mmcFE Manual Withdrawal Logic
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!