Thread: Major Additions - Casino (w/ 10 player poker)
View Single Post
  #2482  
Old 01-09-2008, 03:33 AM
Raptor Raptor is offline
 
Join Date: Nov 2001
Posts: 499
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
one of our members discovered a bug that allows any member to steal money from someone elses account using the donate cash function because it just relies on a simply GET request in the form of

Code:
casino.php?recipients=fusen&amount=100&do=donate&donate=Donate
you can force users to give cash by simply abusing the fact the a forum allows html.

by using a
Code:
<img src="casino.php?blahblah" height="0" width="0">
no one can see what's happening but every visit will force a donate through as long as the page viewer has enough cash.

to do a simple fix simply make the donate check code make sure that the form was sent via POST and not GET, still because the forum allows for HTML you could get past this still be creating a hidden form that is automatically submitted on pageload that can then force a POST request.

I'd say the safest securist method would be to create a hash inside the form in a hidden variable that is something like your username salted with a random word that is checked on the donate processing bit.

I can confirm this backdoor is there - as I discovered this particular member stealing $1000's from others' accounts.

Please fix asap
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01132 seconds
  • Memory Usage 1,764KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_code
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete