Pages:
Author

Topic: [100bit.co.in] Earn up to 0.1 BTC for finding bugs - page 2. (Read 7137 times)

sr. member
Activity: 714
Merit: 253
suggestion

> add photo profile in seting
> change dashboard [ because your dashnboard is doesnt interesting ]
> add new feature on your site [ like  forum on your site ]
>  can sell LTC
>  enable contac seller for discount or anything *lol



_________

for bug .. i think its doesnt bug in  your site again 

_______
ask

03AHJ_Vuu3FUG45V4jKXui9Csz8rHSgdjqULKk9jIt71lGp1uyeoCJXG8QVr0TBcwRqRA0pjJkJMkXo l2rVc-ahk5Ojl1hzcZ9G0r0MPkvePeJd_AueZwA7wgmcTKhAC039YtGTPiytye6hYJlRRwBt9xSCUG4zO3D7i0aXikE9e64ojGloq7f_Pz-3GWEfxeKgKzvZlVWcCSL078cHcO35cWhgczdocyLm8TgCqxAJdurAAf8N73J9tmQNZgm-9nFyaNtwS2ptNS_kjlbzuMohpV4fcm8tgu1CA

what is that it show  up after in password after write captcha your  site say " please copy this ... "
sr. member
Activity: 860
Merit: 423
I can register with multiple emailids (sepearated by commas) in registration page

This one is expected to be fixed now. Please check at your end and let us know. Also, please provide your bitcoin address for a small bounty.
full member
Activity: 128
Merit: 100
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id

edit:

and ..
i found this


just click thats image from http://www.100bit.co.in/home.php

if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php

but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site  

User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.

You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".

None of the above are bug. Thanks for trying anyway...

i think its a bug , because at other site doesnt like that
here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd  if you want to send some BTC

To me, these do not appear to be bug. These are more of improvement suggestion...
sr. member
Activity: 714
Merit: 253
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id

edit:

and ..
i found this


just click thats image from http://www.100bit.co.in/home.php

if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php

but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site  

User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.

You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".

None of the above are bug. Thanks for trying anyway...

i think its a bug , because at other site doesnt like that
here my address : 1JxXDzcnWk1sMR1JiG2agZeELEa6g95pXd  if you want to send some BTC
sr. member
Activity: 860
Merit: 423
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id

edit:

and ..
i found this


just click thats image from http://www.100bit.co.in/home.php

if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php

but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site  

User ID is not editable. It is unique for every user. If you forget your User ID, it is always in your email inbox.

You have home button return to the user home page. Logo link is to return to the site's landing page. So, if you are logged in and click that logo, it'll always show you "You are already logged in".

None of the above are bug. Thanks for trying anyway...
sr. member
Activity: 714
Merit: 253
in seting we cant edit our user id ?
i think you need add this seting ,, cause i cant remember my user id

edit:

and ..
i found this


just click thats image from http://www.100bit.co.in/home.php

if you click thats image from http://www.100bit.co.in/trade.php or anything its back to http://www.100bit.co.in/home.php

but if you click from http://www.100bit.co.in/home.php it say " You are already logged in " its mean thats button for sign in to the site  
sr. member
Activity: 860
Merit: 423
what is this? http://www.100bit.co.in/admin , let me know if this helpful.
also maybe in 404 error page you should added text like " the page is not found " or something else

Like every user ID, admin ID can be seen as well. That is no bug.

404 error page is already in place - www.100bit.co.in/error404.php
hero member
Activity: 691
Merit: 569
I can register with multiple emailids (sepearated by commas) in registration page
full member
Activity: 121
Merit: 100
what is this? http://www.100bit.co.in/admin , let me know if this helpful.
also maybe in 404 error page you should added text like " the page is not found " or something else
legendary
Activity: 1456
Merit: 1002
At this point, I dont think theres any bugs to find.

I could be wrong, but the very basic ones that were obvious are long gone for some free btc lol. So anyone hoping to get it that way youre out of luck, its more of the indepth coder to see if its vulnerable or not.
full member
Activity: 211
Merit: 125
busting the bastards
Could not find any more bug. When do you plan to remove the warning from registration page ?
member
Activity: 141
Merit: 17
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this

I dont think they can do much about it. Google NoCaptcha ReCaptcha does not work on partial javascript browsers like Opera Mini or old IE browsers. That should not be counted as a bug. As such Google NoCaptcha ReCaptcha is a very safe and reliable one.
full member
Activity: 154
Merit: 100
hey I have got a bug..I cannot view the captcha verification on my opera mini browser....but when I opened with the uc browser then I am able to view it....please fix this
sr. member
Activity: 860
Merit: 423
Register is not working
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing


It seems the registration page clearly states the following...

Quote
Warning! We are working on the system. New registration is disabled for now.

We have enabled new registration again...
member
Activity: 141
Merit: 17
Register is not working
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing


It seems the registration page clearly states the following...

Quote
Warning! We are working on the system. New registration is disabled for now.
hero member
Activity: 691
Merit: 569
Register is not working
When i clicked on activation email
Quote
Its redirecting to register page and doing nothing
sr. member
Activity: 860
Merit: 423
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.

I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.

In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.

I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.

If you reported it before me then you should get the bounty.

Can you please check if the bugs you mentioned still do exist in the system or they are fixed now ? Please do let us know if you can find any other bug. Please PM us with example. Also, please provide your bitcoin address...
full member
Activity: 168
Merit: 100
http://pachinko.games-bit.com/
your captcha is too weak and is almost useless to prevent bruteforce attacks and attacks like creating lots of tickets as mentioned above. I would advise to use strong captcha.

It can be easily decoded with any OCR for example

Code:
https://code.google.com/p/tesseract-ocr/downloads/list

use tesseract-ocr-setup-3.02.02.exe

after installing this just run command

tesseract captcha.png decoded.txt -l eng

example:



It will be accurate 95% of times.

It is possible for an attacker to code some automated tool to launch bruteforce attacks, create 1000's of new users, create lot of supprot tickets etc.

thanks

How will the attacker create 1000's of new users ? It seems email authentication is required to create each user.

Yea he can't forgot about email authentication. But still this captcha beats the purpose of using captcha.

I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.

In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.

I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.


If you reported it before me then you should get the bounty.
legendary
Activity: 2310
Merit: 1047
Hey if you ever think about translating the webpage i can do Spanish and Romanian, English and between themselves.
Thanks.
member
Activity: 141
Merit: 17
Also there is a full path disclosure vulnerability in captcha.php

If you save the captcha image from this page and view in hex editor you can see the complete server path to the file.





Is it a bug ? How does it affect the service ? What harm an attacker can do by knowing the full path of captcha.php ?
Pages:
Jump to: