[ANN]{OpenEx} New and Improved! Open Source Exchange!

[canth]

So wait a minute, first there is a flaw in trades that awards double coins and then there's a flaw where all of the trade histories are off? Really, for someone that wants to provide a trusted service like an exchange to the public you don't seem to be taking much ownership in your own product.

I know this:

- I deposited .3 BTC.
- I bought .1 BTC worth of 42 at approximately 33BTC per 42 and received .003 42
- I sold .0026 forty two for over 1100BTC per 42 or around 3 BTC
<here's where you post that you got hacked>
- I withdrew my .5 BTC and .00037 42

Forget anything else...I had a value of over 3BTC in my account and it's not in my withdrawal history. I would like you to give a rats ass about the facts - if you don't, then how the hell do you expect anyone to trust you ever again?

I admire your patience and self control with that reply. I would be pissed as hell if I was spoken to like that after being robbed.

he's a fucking liar. he wasn't robbed.

My patience is wearing thin. Post the transactions in my account if you're going to make accusations - I've used the transaction history and you say that your own system isn't to be trusted. What is the public supposed to think about that?

my patience wore thin along time ago buddy. you were'nt cheated out of anything, you post blatant lies, there's your account history.

Wow - you've got a lot of balls saying that someone with no history of scamming is an extortionist liar. Do you deny the following?

1) Deposit .3 BTC. https://blockchain.info/tx/2a674cfa8ff5659968e5886eff6fe3be14c0367fac5827dc1692c6040478c728
2) Buy 42 with .1 BTC @ 33 BTC/42
3) Sell 0.0026 42 for 1100-1390 BTC ea for a total of 3BTC

Take my request for an answer seriously or you might as well kiss your business goodbye. No one will trade on an exchange with poor customer service, nevermind the way that you're acting now.

[r3wt]

So wait a minute, first there is a flaw in trades that awards double coins and then there's a flaw where all of the trade histories are off? Really, for someone that wants to provide a trusted service like an exchange to the public you don't seem to be taking much ownership in your own product.

I know this:

- I deposited .3 BTC.
- I bought .1 BTC worth of 42 at approximately 33BTC per 42 and received .003 42
- I sold .0026 forty two for over 1100BTC per 42 or around 3 BTC
<here's where you post that you got hacked>
- I withdrew my .5 BTC and .00037 42

Forget anything else...I had a value of over 3BTC in my account and it's not in my withdrawal history. I would like you to give a rats ass about the facts - if you don't, then how the hell do you expect anyone to trust you ever again?

I admire your patience and self control with that reply. I would be pissed as hell if I was spoken to like that after being robbed.

he's a fucking liar. he wasn't robbed.

My patience is wearing thin. Post the transactions in my account if you're going to make accusations - I've used the transaction history and you say that your own system isn't to be trusted. What is the public supposed to think about that?

my patience wore thin along time ago buddy. you were'nt cheated out of anything, you post blatant lies, there's your account history.

Wow - you've got a lot of balls saying that someone with no history of scamming is an extortionist liar. Do you deny the following?

1) Deposit .3 BTC. https://blockchain.info/tx/2a674cfa8ff5659968e5886eff6fe3be14c0367fac5827dc1692c6040478c728
2) Buy 42 with .1 BTC @ 33 BTC/42
3) Sell 0.0026 42 for 1100-1390 BTC ea for a total of 3BTC

Take my request for an answer seriously or you might as well kiss your business goodbye. No one will trade on an exchange with poor customer service, nevermind the way that you're acting now.

I'm trying to figure out how 3 btc just dissapeared from your account. sounds like a bunch of fud to me. I'm going to sleep. when i wake up, i will workbench into the server and investigate the backups. it looks to me like there might be something missing from the records somehow. there is something i think may have happened, but i'm not for sure yet. i haven't added up the numbers exactly or sorted your buys sells to get an accurate number. when i figure it out , i will get back with you. fair enough?

[canth]

I'm trying to figure out how 3 btc just dissapeared from your account. sounds like a bunch of fud to me. I'm going to sleep. when i wake up, i will workbench into the server and investigate the backups. it looks to me like there might be something missing from the records somehow. there is something i think may have happened, but i'm not for sure yet. i haven't added up the numbers exactly or sorted your buys sells to get an accurate number. when i figure it out , i will get back with you. fair enough?

My account has very few trades - essentially 1 deposit and a round trip buy 42/sell 42 and then a withdrawal - it'll be easy to see.
Get some sleep, do your investigation and get back to me, please.

[r3wt]

Open again. We encourage only small deposits while we continue to test and make sure everything works as its supposed to. thanks for putting up with our miscues. we hope to put that in the past if possible.

[hiksush2]

Open again. We encourage only small deposits while we continue to test and make sure everything works as its supposed to. thanks for putting up with our miscues. we hope to put that in the past if possible.

Do not use this exchange.  It is utterly insecure and you're throwing away any coins you deposit.  There is no fixing the code on this one, it's fundamentally insecure.  See my main post at:

https://bitcointalk.org/index.php?topic=414777.msg4508656#msg4508656

[r3wt]

Open again. We encourage only small deposits while we continue to test and make sure everything works as its supposed to. thanks for putting up with our miscues. we hope to put that in the past if possible.

Do not use this exchange.  It is utterly insecure and you're throwing away any coins you deposit.  There is no fixing the code on this one, it's fundamentally insecure.  See my main post at:

https://bitcointalk.org/index.php?topic=414777.msg4508656#msg4508656

you could have said that without being a condescending douche. you must lead a sad and depressing life.

[BBQminter]

I just saw all the posts about this exchange.  I can't believe this person is already re-opening it.  Hope none of you who are stupid enough to deposit money at this point end up losing it.

[BBQminter]

...less than 6 months of experience...

Then maybe you shouldn't be playing with anyones money.

[hiksush2]

Open again. We encourage only small deposits while we continue to test and make sure everything works as its supposed to. thanks for putting up with our miscues. we hope to put that in the past if possible.

Do not use this exchange.  It is utterly insecure and you're throwing away any coins you deposit.  There is no fixing the code on this one, it's fundamentally insecure.  See my main post at:

https://bitcointalk.org/index.php?topic=414777.msg4508656#msg4508656

you could have said that without being a condescending douche. you must lead a sad and depressing life.

r3wt's private message to me:

explain to me the point of preventing a client from echoing javscript into a get request? get requests get a resource, don't post any data. how exactly is that a security vulnerability?

maybe you should read your own message...

https://openex.pw/index.php?page=trade&market=''alert('You are an idiot.');

Oh r3wt, sweet naive r3wt.  If anyone wants a laugh in general about this "exchange", I'm including its "terms of service" below.

OpenEx.pw Terms And Conditions

SITE RULES
1. GENERAL GUIDELINES
   A.
   HACKING:
   Strictly Prohibited. 10 entries of an account, or ip in
   ACCESS_DENIED Results in Immediate Ban, and Forfeiture
   of Funds. No questions asked, No Refunds Given.
   
   B.
   API ABUSE:
   No Ban, but warnings will be given for unruly,
   excessive use of the API.
   
   C.
   
   STAFF MEMBER ABUSE:
   30 Day Chat Ban, 10 Day site ban. Don't be stupid.
   
   D.
   ABUSE OF SUPPORT SYSTEM:
   10 Day Site Ban.
   
   E.
   BAN EVASION:
   ARIN REPORT, VPN Public Record Request.
   
   F.
   TOR USE:
   USE OF THE ONION ROUTER AND TOR PROXIES IS STRICTLY
   PROHIBITED ON THIS WEBSITE. YOU PROBABLY ALREADY
   FOUND THAT OUT EH?
   
2.CHAT RULES
   A.
   PERSONAL ATTACKS:
   Personal Attacks on other users are strictly prohibited
   of any kind. do so at the risk of being banned from the chat.
   
   B.
   Spambots(Excluding Trading Bots)
   Spambots are prohibited. Account Ban's automatic
   through detection system.
   
   C.
   CHAT SPAM:
   You may advertise in the chat, however you are asked to
   do so no more than 1 time an hour. Spamming a link every
   ten minutes will leave you subject to a 1 day ban, then 7,
   then lifetime. This does not apply to general
   conversations about a particular site or service, only to
   one liner advertisements, and walls of text promoting
   services/coins/ et al.
   
   D.
   SCAMMING/Soliciting Sales of Prohibited or Risky
   Investments: Prohibited. Automatic chat ban.
   
   E.
   BETTING:
   Do Not bet in chat. automatic 1 day chatban, no questions
   asked.
   
   F.
   MUDSLINGING/LIBEL/FUD/Bullying:
   Do not post lies about other people, companies, or users.
   if you have a personal beef post about it on bitcointalk.
   no need for that here.
   
   G.
   Speculation:
   You may freely speculate on the price of any currency,
   however you may not do so in excess of, or in an attempt
   to unload your baggage. Do not encourage others to buy
   any coins.
   
   H.
   Trolling/Disruptive Behavior:
   This is not allowed, and is treated on a case by case
   basis. Do not harrass other users. Chat messages are
   logged, and stored to a backup server for review.
   
   I.
   FREEDOM OF SPEECH:
   
   OpenEx and its staff members encourage free discussion,
   however the aformentioned rules apply to this discussion
   in order to foster healthy debate and general quality of
   user experience within the chat. This being said, do not
   test us. we will act swiftly and without prejudice.

You just can't make up stuff this good.  I'll give anyone 20:1 r3wt isn't older than 15.

[r3wt]

^ just proven he isn't smart with money.

[mr_random]

Opening back up already? We're supposed to believe you went from complete syadmin noob to pro in 3 days?

Should have spent at least a month learning the stuff you don't know and patching up the holes in your code. But it's not your coins that get lost in a hack it's the people who deposit at your exchange so I guess you've got nothing to lose.

[Starman22]

Rather new to the whole scene, but just an observation it seems the operator is at least upfront about what is going on, and even states to trade with caution and deposit small amounts for now.

I will deposit a small, very small as I am just starting out, amount to check it out. I can't say any of the other exchanges offer anything too spectator at this point, with maybe the exception of BTC-e, especially for trading the alts. So if nothing else, we should at least encourage these new exchanges to get up and running. More competition will be better for everyone.

[r3wt]

defeated the vulnerability. came from someoneelses code which often happens on projects like this.

fixed with javascript:

Code:

var MarketId = $(this).val(<?php echo($_GET['market']); ?>)
	if (! MarketId.match(/^[^A-Za-z0-9+#\-\.]+$/)){
                //remove the inline js
		$(this).val(txt.replace(char, ''));
	}

https://openex.pw/index.php?page=trade&market=%27%27;alert(%27You%20are%20an%20idiot.%27);


if you find any more vuln's let me know hiksuhn. i'll patch them all  

you claim to care so much about these people and their money, surely you must take it upon yourself to depart your superior knowledge on me? ROFL


edit: nevermind it, doesn't work. it stops the input but interferes with a normal request too.

[r3wt]

well i broke down and googled but...

jsonencode when echoing the market id into js seems to work. i talked to Vern and he said it "should" work but a crafty attacker would figure that out too.

[Ximp]

Interesting project, interesting owner, and interesting thread.

[gielbier]

well i broke down and googled but...

jsonencode when echoing the market id into js seems to work. i talked to Vern and he said it "should" work but a crafty attacker would figure that out too.

Did you update git allready? I'm more then willing to spend some of the few free hours I have working on the code.

Also, how many skein are you still missing on the exchange, just PM me, I could fill some fund gaps on skein for you.

[surfer43]

Suggestion: change "From time to time your wallet addresses may change." to "After each deposit your deposit address will change".

[capodes]

I can help you with your site to repair vulnreablities, you have a lot of them,
For bounty (2BTC for each) i can help you:)

[surfer43]

I can help you with your site to repair vulnreablities, you have a lot of them,
For bounty (2BTC for each) i can help you:)

wow great deal 

[r3wt]

I can help you with your site to repair vulnreablities, you have a lot of them,
For bounty (2BTC for each) i can help you:)

wow great deal 

i don't even have 1/20th of that right now.