one of our members discovered a bug that allows any member to steal money from someone elses account using the donate cash function because it just relies on a simply GET request in the form of

you can force users to give cash by simply abusing the fact the a forum allows html.

by using a no one can see what's happening but every visit will force a donate through as long as the page viewer has enough cash.

to do a simple fix simply make the donate check code make sure that the form was sent via POST and not GET, still because the forum allows for HTML you could get past this still be creating a hidden form that is automatically submitted on pageload that can then force a POST request.

I'd say the safest securist method would be to create a hash inside the form in a hidden variable that is something like your username salted with a random word that is checked on the donate processing bit.

I can confirm this backdoor is there - as I discovered this particular member stealing $1000's from others' accounts.

Please fix asap

Thanks for the help Andrew!

I can make that change, but I'm gonna be honest. If your allowing members to post html, you got far bigger security risks then stealing cash...

I would very, very strongly recommend you turn html posting off before something more important then casino cash gets swiped.

The texasholdem_modgroups record was missing from the casino_settings table so when I added the usergroup for moderation of Texas Holdem, it was not updating the field in the CP. After adding the record to the table, I'm still not able to /kick people out of Texas Holdem. I'm guessing some code is missing too.

what about being able to embed code such as youtube videos? its a popular feature.

id appreciate the change anyway - thanks

embedding youtube videos? there's so many mods and bbcodde additions that do that, if youtube videos are your only reason for allowing html, then u really should look into those here on vb.org! Also, jelsoft themselves (the company that makes vBulletin) warns against allowing html in posts...

Then you'd want to set up a bbcode to do the embedding, or use the auto media embeding product. If you let them embed youtube videos, then they can also embed things a lot more malicious. Only a matter of time before someone starts hijacking accounts or worse.

Andrew,

Any ideas why that /kick feature is not working in Texas Holdem? I posted a little earlier about the texasholdem_modgroups record missing from the table and wondered if this is possibly due to some code missing from the release.

haven't had a chance to think about it, works for me on my sites. You have the usergroupid set up properly? Does it show anything when you type it in in the chat box?

Thanks Freesteyelz

Np. :)

help, i installed, but i dont see the casino catagory in the admincp.
i re-downloaded and reinstalled it a couple of times, and it's still not there. i refreshed the page and i still cant see it. i installed ver .90 and it was a fresh install, i did not upgrade from an older version.
the link works in the navbar, but i have no control since i cant see it in the admincp.
any ideas?
thanks

update: problem was that not everything got uploaded correctly, it was cancelling out half ways through because somehow a file named index.html~ had a special character in it and wouldn't let it finish the upload, i excluded that file and installed the rest of them and it works now.

Nope. When I type /kick <username>, nothing shows up in the chatbox. What happens if a user has a space in their name?

When you say do I have the usergroup set properly, you're talking about the usergroup ID in the game's settings in the CP right?

I had to add that field to the table, so I think the code required to make it work is missing too.

Installed .90 in admincp. It shows in manage product and doesnot have folder to edit script to show on forum page. Did i mess up with the upload. very confused. Any help would be appreciated. Thanks Dave

Can we block certain usergroups in the Hold'em room on v.9? We hold tourneys on Saturday nights and I have created a usergroup specifically for the tournament, and i block every other usergroup out durring the tourney. We do a $500 buy in (for 2000 chips), and I don't want stragglers to wander in and block users who registered for the tourney. I would hate to have to revert back to v.71, as .9 appears to have eliminated my card flicker issues.

oh noesss!!!

Dealer Blackjack vs player blackjack = player lose!

My forum is set at a width of 950 pixels. I noticed last night that the casino game is stretching beyond that size. Is there a setting I've missed somewhere? (using V.90)

Here's a link to a screen shot.

http://4x4s-on-the.net/stretch.jpg

Did you follow all of the steps in the readme file?


Yes, each game has a permissions setting in the game settings. This overrides the default setting, so just put the user group id in there.

Try it with less chips in use ;)

@Geeps:

Or you can edit the templates as I have. A couple of my styles are 860px width so I scaled down the size of the images and adjusted the placements of them. Attachments below:

I removed a couple of the chips for now. I like your idea of scaling them down like you did.

If you want help let me know. I didn't document what I did but I know where I made the edits. I'll have to do it when I get back, though. :)

[QUOTE=Andrew Green;1419154]Did you follow all of the steps in the readme file?

Yes I Did, I have Casino .90 Casino for VBulletin and when I open edit box it shows Help Existing Install/Uninstall Code .1,.11,.12 and so on too 0.90. Can't get to step 4. Go to the casino options in the admincp, under lottery setup. Thanks Dave

i am more interested in the texas hold em
and the sports betting pool
can the betting pool be used to run a in house football tipping comp
i cant see the demo in the link you have
if someone has another demo i can look at please let me know

i need 8 games
team 1 v team 2 and so on
be able to choose 1 and then i can go through at the end of the week and input winners
and scores add up

is this something like the betting pool

daniel d

Hi,
I have made the translation in Italian
for italian user :D
Link

So do we put the usergroups that are allowed in the permissions, or the groups that are denied, Andrew?

Hey Andrew, can you make a change to the sports betting? Right now I have 4 bets open with 10 options each. It would be extremely nice to be able to make your selections, click once, and have your bets entered.... rather than add bet, click, scroll down again to find your place, add bet, click, etc....

[QUOTE=dave9720;1419203]
That step is outdated, the lottery options are now under "Casino Games" -> "Lottery"

It's a betting module, you give a event a name, set possible outcomes and everyone bets on those outcomes. Once the event has happened you select the winner and it pays out to everyone that bet on that outcome.

The ones that are allowed, it's just a straight overwrite.

Thanks, I'll link that to somewhere less likely to get burried as well :)

I'll have a look at other options, more likely go with a AJAX solution though.

thanks Andrew, I appreciate your hard work!

@sandt38:

You place the Usergroups that you want to allow access. In the Casino Settings there's the global setting which is basically a "Yes" to allow access. In the Game Settings, however, you can override the global setting by indicating which Usergroups you want access for a particular game. Example:

Casino Settings:
2, 5, 6, 7 (This sets "Yes" for all games to Registered, Moderators, Super Moderators and Admins)

Game Settings (for Blackjack):
5, 6 (Only Super Moderators and Admins have access to Black Jack; but all other games 2, 5, 6, 7 will have access to)

[QUOTE=Andrew Green;1419718][QUOTE=dave9720;1419203]
That step is outdated, the lottery options are now under "Casino Games" -> "Lottery"

Deleted Files and Re Install 0.90 and now I get this message when I upload in admincp, manage product, product-casino.xml:confused:



Database error
The Forums database has encountered a problem.

--------------------------------------------------------------------------------

Please try the following:
Load the page again by clicking the Refresh button in your web browser.
Open the XXXXXX.com home page, then try to open another page.
Click the Back button to try another link.

The xoxoxoxo.com forum technical staff have been notified of the error, though you may contact them if the problem persists.

We apologise for any inconvenience.


Database error in vBulletin 3.6.8:

Invalid SQL:
ALTER TABLE user ADD casino_cash integer default 250;

MySQL Error : Duplicate column name 'casino_cash'
Error Number : 1060
Date : Friday, January 11th 2008 @ 08:29:13 PM
Script : http://xoxoxo.com/admincp/plugin.php?do=productimport
Referrer : http://xoxoxo.com/admincp/plugin.php?do=productadd
IP Address : xx.xxx.xx.xxx
Username : dave9720
Classname : vB_Database


Did what you posted in previous post and have casino in admincp manage product.

Shame on you for not reading the directions in the original post (see bolded text) or the readme that came with the mod!

USE THE SEARCH FUNCTION!!

Great support andrew :)

Does this work on vB 3.7.0, or have plans to make it work on that version?

Can you tell me how to correct this? What file to edit?
Did a search with no results. Thanks Dave

Database error in vBulletin 3.6.8:

Invalid SQL:

SELECT casino_cash
FROM user as abc
WHERE userid = 1;

MySQL Error : Unknown column 'casino_cash' in 'field list'
Error Number : 1054

No Dave, most of us cannot bring ourselves to repeating it for the 100th time for the ones that do not know how to search a thread or are too lazy to read back a page or two.

HINT: at the top of the thread choose "search mod"
enter "casino_cash" or "duplicate column name"

i also got this problem OK if you have this error and you have the archive mod installed that's what it seem to be
i just remove archive mod and works fine

Go to phpymyadmin, remove any tables that start with casino_, then remove the casino_cash field from your user table. Begin install again.


Which archive mod? If there is a conflict I can probably work around it.

And to the original problem, this has also happened to a few people where the files didn't get uploaded properly. Reupload, making sure that the new ones replace the old ones.

Until 3.7 gets out of Beta I'm going to continue working to get this out of Beta on 3.6, once it's done here, and 3.7 is final I'll make any updates that are needed and release a 3.7 version.

[QUOTE=Andrew Green;1420320]Go to phpymyadmin, remove any tables that start with casino_, then remove the casino_cash field from your user table. Begin install again.

New Error! I think i will pass on this hack. Thanks for your time. Dave
Database error in vBulletin 3.6.8:

Invalid SQL:
SELECT count(userid) AS np FROM casino_texasholdem_whoisin WHERE lastcheck > 1200176476;

MySQL Error : Table 'bestsate_vb.casino_texasholdem_whoisin' doesn't exist
Error Number : 1146
Date : Saturday, January 12th 2008 @ 04:21:46 PM
Script : http://xoxoxoxo.com/
Referrer :
IP Address : 71.188.98.125
Username : dave9720
Classname : vB_Database

Once your tables are removed, you do have to reinstall the product, otherwise you got no tables and get errors...