suggestion
> add photo profile in seting
> change dashboard [ because your dashnboard is doesnt interesting ]
> add new feature on your site [ like forum on your site ]
> can sell LTC
> enable contac seller for discount or anything *lol
_________
for bug .. i think its doesnt bug in your site again
_______
ask
03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA
what is that it show up after in password after write captcha your site say " please copy this ... "
Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 2. (Read 7091 times)
I can register with multiple emailids (sepearated by commas) in registration page
This one is expected to be fixed now. Please check at your end and let us know. Also, please provide your bitcoin address for a small bounty.
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.
You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".
None of the above are bug. Thanks for trying anyway...
i think its a bug , because at other site doesnt like that
here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd if you want to send some BTC
To me, these do not appear to be bug. These are more of improvement suggestion...
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.
You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".
None of the above are bug. Thanks for trying anyway...
i think its a bug , because at other site doesnt like that
here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd if you want to send some BTC
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.
You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".
None of the above are bug. Thanks for trying anyway...
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
i think you need add this seting ,, cause i cant remember my user id
edit:
and ..
i found this
just click thats image from http://www.100bit.co.in/home.php
if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php
but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site
what is this? http://www.100bit.co.in/admin , let me know if this helpful.
also maybe in 404 error page you should added text like " the page is not found " or something else
also maybe in 404 error page you should added text like " the page is not found " or something else
Like every user ID, admin ID can be seen as well. That is no bug.
404 error page is already in place - www.100bit.co.in/error404.php
I can register with multiple emailids (sepearated by commas) in registration page
what is this? http://www.100bit.co.in/admin , let me know if this helpful.
also maybe in 404 error page you should added text like " the page is not found " or something else
also maybe in 404 error page you should added text like " the page is not found " or something else
At this point, I dont think theres any bugs to find.
I could be wrong, but the very basic ones that were obvious are long gone for some free btc lol. So anyone hoping to get it that way youre out of luck, its more of the indepth coder to see if its vulnerable or not.
I could be wrong, but the very basic ones that were obvious are long gone for some free btc lol. So anyone hoping to get it that way youre out of luck, its more of the indepth coder to see if its vulnerable or not.
Could not find any more bug. When do you plan to remove the warning from registration page ?
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
I dont think they can do much about it. Google NoCaptcha ReCaptcha does not work on partial javascript browsers like Opera Mini or old IE browsers. That should not be counted as a bug. As such Google NoCaptcha ReCaptcha is a very safe and reliable one.
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
Register is not working
When i clicked on activation email
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing It seems the registration page clearly states the following...
Quote
Warning! We are working on the system. New registration is disabled for now.
We have enabled new registration again...
Register is not working
When i clicked on activation email
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing It seems the registration page clearly states the following...
Quote
Warning! We are working on the system. New registration is disabled for now.
Register is not working
When i clicked on activation email
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.
It can be easily decoded with any OCR for example
use tesseract-ocr-setup-3.02.02.exe
after installing this just run command
tesseract captcha.png decoded.txt -l eng
example:
It will be accurate 95% of times.
It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.
thanks
It can be easily decoded with any OCR for example
Code:
https://code.google.com/p/tesseract-ocr/downloads/list
use tesseract-ocr-setup-3.02.02.exe
after installing this just run command
tesseract captcha.png decoded.txt -l eng
example:
It will be accurate 95% of times.
It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.
thanks
How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.
Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.
In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.
I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.
If you reported it before me then you should get the bounty.
Can you please check if the bugs you mentioned still do exist in the system or they are fixed now ? Please do let us know if you can find any other bug. Please PM us with example. Also, please provide your bitcoin address...
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.
It can be easily decoded with any OCR for example
use tesseract-ocr-setup-3.02.02.exe
after installing this just run command
tesseract captcha.png decoded.txt -l eng
example:
It will be accurate 95% of times.
It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.
thanks
It can be easily decoded with any OCR for example
Code:
https://code.google.com/p/tesseract-ocr/downloads/list
use tesseract-ocr-setup-3.02.02.exe
after installing this just run command
tesseract captcha.png decoded.txt -l eng
example:
It will be accurate 95% of times.
It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.
thanks
How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.
Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.
I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.
In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.
I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.
If you reported it before me then you should get the bounty.
Hey if you ever think about translating the webpage i can do Spanish and Romanian, English and between themselves.
Thanks.
Thanks.
Also there is a full path disclosure vulnerability in captcha.php
If you save the captcha image from this page and view in hex editor you can see the complete server path to the file.
If you save the captcha image from this page and view in hex editor you can see the complete server path to the file.
Is it a bug ? How does it affect the service ? What harm an attacker can do by knowing the full path of captcha.php ?
Jump to: