Thread: Major Additions - Casino (w/ 10 player poker)
View Single Post
  #3061  
Old 05-24-2008, 05:07 PM
Universal Universal is offline
 
Join Date: Sep 2006
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by dutchbb View Post
***** ATTENTION ***** MAJOR BUG ALERT *****

!!! Money transfer / donation security bug !!!

How to duplicate:

1. Go to casino donation page, fill in your OWN name and the amount of money to donate.

2. On the next page you get an url like http://forum.myforum.com/c...&donate=Donate

3. Put this URL in http://tinyurl.com/ , it will give you a short version of the URL

4. Post somewhere on the forum this URL between IMG tags (or just URL tags)

5. Anyone who views the 'image' or clicks the URL will now donate to you

So the donation system needs a confirmation with password or something, well i don't know if that's needed but it obviously isn't secure at this point. We have it disabled untill it is secure.


Thank you
Technically, IMO you should censor tinyurl.com on your forum as it can be used for menacing acts. Using tinyurl for phishing is one way people are using for this criminal act. Ofcourse, you never really can know all the time where a tinyurl will lead you as well. Also, if you do not allow advertising on your forum and have banned certain sites, tinyurl can be used to bypass this ban. These are just some reasons I have found to censor it. :erm:
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01103 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete