[Pre Alpha] PHPCoin

[NothinG]

BTW, those "hacker forums" are normally like those guys who finish high school virgins; they make the hardest and most long shot attack look like the easiest thing around, yet they never actually did any, just like those boys who never actually got anyone but will jump on claim to had half of the school girls.

I love how you bring up the "hacker forums" talking about them being high school virgins.


I used to be one of the main PHP coder for our group on hack forums.
Hack Forums is not a hacking Forum, is a Social Network for Wannabe Hackers...
Gotta Love them though, and respect them for trying to help.

The Typical Hacker:
-) Had an above average grade in school (didn't do so well in history, excelled in math).
-) Over exaggerated number of girlfriends in high-school (probably 2-3 would be the truth, but they end up saying they had 10-20 girls).

The Hacker that Manipulates People:
-) Did well in Math (Thinks in Logic), had a decent grade in History (still hates it), loves English.
-) Exaggerates number of girlfriends by a little-bit but just enough to make you believe them (roughly 5-7).

...there are more, but that's about the only two categories I've been in.

[1715608875]

1715608875

[1715608875]

1715608875

[1715608875]

1715608875

[BCEmporium]

"Hacking" is actually do the things in an unorthodox way.

But my point was on "claim vs reality", not on how many gf a hacker has or not. I know those forums, it mostly goes around like:
- Let's strike xpto.com?
- Yeah! Yeah!
- They've a XSS/CSRF exploit
- Whow!!!! Easy picking! We will screw it!
...after 1.000.000 fails you got the two "hacker kinds":
Liar:
- I'm in!
- Sweet! Help us out.
- Oh shit! Just logged out. I'll teach you guys later, need to check the logs. (and wait this to be forgotten)
Honest:
- You guys up to DDoS it?

 

[Jine]

I've never actually been a member of a "hacking forum".

I never said any of those was hard to fix, i just told it should be done.
Insert a maximum length of 255 chars or something as password as well - and you don't ever have to.

BCEmporium:
1) IIRC from reading the source, NothinG don't sanitize any inputs at all - except for avoiding SQL injections.
I rest my case. You're stupid if you don't see that as a issue

Ps. I do work as a security consultant, but that is none of you business


EDIT:
Seriously tho, wtf is up with this forum? Each time i point out a security flaw in a system, i get tons of shit thrown at me.
Lets change strategies then, lets PROVE that everything i said is valid and can be exploitable.

Forget everything i said, and I'll public a few POC when I feel like it's time to do so

[BCEmporium]

For fuck sake, cannot SOMEONE learn to develop correctly structured PHP?

THIS...

I would ask otherwise, can't someone develop something wasting TIME and for FREE, without having some full of shit "security troll" to show around as an unwanted sort of "consultant"?

So next time, if you don't want shit thrown at you, don't throw at others.

[Xephan]

EDIT:
Seriously tho, wtf is up with this forum? Each time i point out a security flaw in a system, i get tons of shit thrown at me.

I think it's probably a pride thing. Most of us like to think we're good at what we're doing and to admit otherwise, can be difficult when it comes to certain things. I'm paranoid and fortunately don't think I'm a l33t programmer so anytime somebody points out a potential security flaw in my code, I'm definitely going to look at it first. I'd rather add a few more lines of code to plug a potential flaw than to write a few paragraphs to defend my pride and still leave a hole to potentially get screwed later. Admittedly, there are other things where I will find it a lot harder to accept criticism!

[BCEmporium]

Another thing, before your cast of "security wannabes", shouldn't you read the aim of the project first?

This project is initially designed to be used as frontend for Debian VM's - NOT as a webservice. Webservice will have a few differences in account features, such as captchas to prevent brutte forcing and other pwd security.

@Xephan;

I accept criticism, I DO NOT ACCEPT, is someone scratching his balls and just showing his face to say things like "for fuck sake you can't code". This ain't about being "infallible" or "too good", it's a matter of RESPECT others' work.

[Xephan]

@Xephan;

I accept criticism, I DO NOT ACCEPT, is someone scratching his balls and just showing his face to say things like "for fuck sake you can't code". This ain't about being "infallible" or "too good", it's a matter of RESPECT others' work.

I would agree that saying somebody can't code is a bit disrespectful. I hope I've not made any comment to that effect but only to highlight what I feel are potential pitfalls. As I said earlier in this thread, it's your project you can code it anyway you like regardless of what others like me may suggest. But if I did say anything to the effect of "you can't code", I would apologize for it.

On another issue, while your objective now is for it to be a private VM frontend, I was all along under the impression from your first post that it was intended to be used for public facing services as well. While you've made the point about certain additional changes to the code for those purposes, I would suggest that it would be more efficient and easier to maintain a single secured code base than two. You can always use options to turn off unneeded security such as captchas for use in an internal environment. This way, you wouldn't have to worry that a flaw in one may be exploited to get to the other.

[BCEmporium]

That won't be a branch, will be the same development, but because I don't have limitless free time, I'll start by cutting some issues in the private frontend and later input the remaining ideas for this project. The final project must be a single branch, with ability to enable/disable webservice's features, such as SHA1 pwd crypt (bad idea if your VM has just 128 Mb of RAM or less), captchas (senseless to connect to 192.168.x.x), and so on.

[SgtSpike]

Question.  I have this installed and running on a test server.  I sent myself 5 bitcents.  It has 57 confirmations now, but when I log in, I see this:

Balance 0.00000000 BTC 0.05000000 BTC 

with the 0.05 show in small italics.  I can't do anything with the coins, because my account balance is 0.

What does the little italics mean, and how do those coins make it into the account?

[BCEmporium]

The italic means "I already can see it, but still hasn't the required confirmations".

Change it from unconfirmed to confirmed (normal will be 0.05 and italic will back to 0.00) it's a job of the cron file. Don't forget to config the abspath on the cron.

[SgtSpike]

The italic means "I already can see it, but still hasn't the required confirmations".

Change it from unconfirmed to confirmed (normal will be 0.05 and italic will back to 0.00) it's a job of the cron file. Don't forget to config the abspath on the cron.

I... didn't know there was a cron to run.  That's probably why. 

[hamburger]

I... didn't know there was a cron to run. That's probably why. 

Great question - I also did not know this and was waiting for the change for a week now.

Q: Should we uncomment this line (as it is now) in the cron file to use the database specified confirmation;

//Checking for new deposits
  $accounts = $b->listaccounts((int)$config['confirmations']['value']);
  //$accounts = $b->listaccounts(1); //Test only

and do we need to set our Default account for sending to PC_MAIN or could we use any other address available.

Q: Any news on the admin section?

Thank you,

Hamburger

[SgtSpike]

Lol, I don't even have the cron folder.  I should probably update to the latest version... 

[BCEmporium]

You can get the latest source from https://github.com/BCEmporium/PHPCoin

The cron folder is phpcoin-cron, you should copy it somewhere outside the webroot and config the abspath to the installation.

The main account can be changed on the database still.

[hamburger]

Hi,

Do any of you perhaps know why I would get a Internal Server Error when I create a new account or when I log out?

Thank you,

Hamburger

[BCEmporium]

Hi,

Do any of you perhaps know why I would get a Internal Server Error when I create a new account or when I log out?

Thank you,

Hamburger

Look in the error.log of your server. The answer must be there. Maybe a misconfiguration, that error is common within miss .htaccess configs

[BCEmporium]

I thought this project to be dead due to lack of interest, but two weeks ago an user emailed me a mysqli patch to it, meanwhile I forgot my GitHUB pass to put it up there and now someone else connects this project to some deepweb market with its admin saying that I helped him. Checked my contacts made through here and still can't figure where or how.
What a mess! 

[Raoul Duke]

I thought this project to be dead due to lack of interest, but two weeks ago an user emailed me a mysqli patch to it, meanwhile I forgot my GitHUB pass to put it up there and now someone else connects this project to some deepweb market with its admin saying that I helped him. Checked my contacts made through here and still can't figure where or how.
What a mess! 

lolwut? lol
I think we need more details. Especialy if you want us to help you find out where or how(what?)...

[BCEmporium]

Nvm, there is some people saying I helped on creating a deepweb market or even own or made it, because it's code leaked and the structure is similar to my project here. What would be funny taken I started to make a market for the regular web, bcommerce, but never actually finished it. I also don't remember to help anybody about this project outside this thread but I usually answer to common questions about PHP, could be that.
And about the index/switch structure it's also part of some commercial frameworks, like webassist.
I guess I should look on the bright side and get happy that apparently my code styling is strong enough for the deepweb, but sucks to see my name attached to people I wouldn't touch with a 10 feet pole!