vb.org Archive
Page 249 of 353 « First 149199239247248 249 250251259299349 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.6 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=194)
-   -   Major Additions - Casino (w/ 10 player poker) (https://vborg.vbsupport.ru/showthread.php?t=159151)

Raptor 01-09-2008 03:33 AM
one of our members discovered a bug that allows any member to steal money from someone elses account using the donate cash function because it just relies on a simply GET request in the form of

Code:
casino.php?recipients=fusen&amount=100&do=donate&donate=Donate
you can force users to give cash by simply abusing the fact the a forum allows html.

by using a
Code:
<img src="casino.php?blahblah" height="0" width="0">
no one can see what's happening but every visit will force a donate through as long as the page viewer has enough cash.

to do a simple fix simply make the donate check code make sure that the form was sent via POST and not GET, still because the forum allows for HTML you could get past this still be creating a hidden form that is automatically submitted on pageload that can then force a POST request.

I'd say the safest securist method would be to create a hash inside the form in a hidden variable that is something like your username salted with a random word that is checked on the donate processing bit.

I can confirm this backdoor is there - as I discovered this particular member stealing $1000's from others' accounts.

Please fix asap

ArchangelX 01-09-2008 04:01 AM
Thanks for the help Andrew!

Andrew Green 01-09-2008 04:08 AM
Quote:
Originally Posted by Raptor (Post 1418139)
you can force users to give cash by simply abusing the fact the a forum allows html.
I can make that change, but I'm gonna be honest. If your allowing members to post html, you got far bigger security risks then stealing cash...

I would very, very strongly recommend you turn html posting off before something more important then casino cash gets swiped.

larrydavidow 01-09-2008 04:12 AM
The texasholdem_modgroups record was missing from the casino_settings table so when I added the usergroup for moderation of Texas Holdem, it was not updating the field in the CP. After adding the record to the table, I'm still not able to /kick people out of Texas Holdem. I'm guessing some code is missing too.

Raptor 01-09-2008 08:40 AM
Quote:
Originally Posted by Andrew Green (Post 1418160)
I can make that change, but I'm gonna be honest. If your allowing members to post html, you got far bigger security risks then stealing cash...

I would very, very strongly recommend you turn html posting off before something more important then casino cash gets swiped.
what about being able to embed code such as youtube videos? its a popular feature.

id appreciate the change anyway - thanks

rwilkins108 01-09-2008 09:14 AM
embedding youtube videos? there's so many mods and bbcodde additions that do that, if youtube videos are your only reason for allowing html, then u really should look into those here on vb.org! Also, jelsoft themselves (the company that makes vBulletin) warns against allowing html in posts...

Andrew Green 01-09-2008 12:59 PM
Quote:
Originally Posted by Raptor (Post 1418241)
what about being able to embed code such as youtube videos? its a popular feature.

id appreciate the change anyway - thanks

Then you'd want to set up a bbcode to do the embedding, or use the auto media embeding product. If you let them embed youtube videos, then they can also embed things a lot more malicious. Only a matter of time before someone starts hijacking accounts or worse.

larrydavidow 01-09-2008 03:10 PM
Andrew,

Any ideas why that /kick feature is not working in Texas Holdem? I posted a little earlier about the texasholdem_modgroups record missing from the table and wondered if this is possibly due to some code missing from the release.

Andrew Green 01-09-2008 03:30 PM
haven't had a chance to think about it, works for me on my sites. You have the usergroupid set up properly? Does it show anything when you type it in in the chat box?

Aeolian 01-09-2008 07:04 PM
Thanks Freesteyelz


All times are GMT. The time now is 03:05 PM.
Page 249 of 353 « First 149199239247248 249 250251259299349 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04629 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (6)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete