Author

Topic: FaucetBOX.com Discussion - page 151. (Read 237020 times)

legendary
Activity: 1988
Merit: 1007
July 08, 2015, 03:02:39 AM
It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.
If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

For example, on core.php at line 169 (In the default script from gitlabs, looking at another faucet owner's script from this vulnerability it seems to be line 300), this function is used to run any SQL querys throughout the script:
Code:
function sql_query($sql)
{
    global $mysqli;
    return $mysqli->query($sql);
}
It literally gets the connection from config.php and runs the query. If this is as simple as it looks and there are no escape strings, this is a huge error in the script.

Perhaps using something similar to this:
Code:
function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}
Will solve the problem, as it escapes the string before continuing with the query.

Hearing thefaucetrunner talk about SQL injection made me think about this again and had me search through all of the files to try and find this function. Apologies for not finding it earlier.

Even with your code changes (such as escaping strings), there are many vulnerabilities still open. I'm actually somewhat surprised something as important as dealing with people's finances (in the sense that the script has access to the wallet's funds) is even using SQLi, much less in a very unsecure method. real_escape_string only prevents a small portion of injections from being possible, and if you really want to use that route, you should fix all of them.
sr. member
Activity: 864
Merit: 260
July 08, 2015, 02:25:59 AM
Why is my faucet Satoshi disappear even when I'm not crying?
legendary
Activity: 971
Merit: 1000
July 07, 2015, 02:05:47 PM
Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that  Huh

I found the reason... it's because the iframe is sandboxed and therefore link cannot open new tabs/windows. To fix it, ScanTheBox needs to be changed from
Code:
to
Code:

That's a known issue and we did block the popups and redirection deliberately. It prevents faucets from opening annoying popups and redirecting out from the rotator. We even give a warning to faucet users about that when they're adding their faucets to the rotator.

What we plan to do is adding a button for user like "Open this faucet in new window". Such window wouldn't be sandboxed then.
newbie
Activity: 20
Merit: 0
July 07, 2015, 08:24:37 AM
Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that  Huh

I found the reason... it's because the iframe is sandboxed and therefore link cannot open new tabs/windows. To fix it, ScanTheBox needs to be changed from
Code:
to
Code:
newbie
Activity: 20
Merit: 0
July 07, 2015, 06:34:50 AM
Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that  Huh
legendary
Activity: 971
Merit: 1000
July 06, 2015, 04:00:04 PM
After how long possibly broken disappears after satoshis enter your account?

6-8 hours after first successful payout.
newbie
Activity: 3
Merit: 0
July 06, 2015, 01:30:45 PM
After how long possibly broken disappears after satoshis enter your account?
sr. member
Activity: 864
Merit: 260
July 06, 2015, 01:52:26 AM
A feeling as if from my faucet steal bitcoin. And every day.  It's very suspicious! I just can not explain it to you.
full member
Activity: 500
Merit: 100
July 05, 2015, 10:02:53 AM
The best way is to log all the 4 points:
- GET requests (if you have access log you already have them).
- POST requests and their parameters.
- All the claims.
- All the cashouts.

There is no way for him to escape.

Ofc. changing the API key before you restart paying is a must.

This is all I can help without a look at the code.

Edit: I think this could be a bot. Yesterday someone posted a link to my website in a forum discussing "a bot not working anymore" (probably because some faucets got dry).

Putting some randomness in the faucet functionality may complicate their lives.
legendary
Activity: 971
Merit: 1000
July 05, 2015, 01:36:20 AM
It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.
If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

This hack usually results in many small-to-moderate payouts to many addresses in time smaller than the timer. I guess it could be a result of SQL Injection, but why bother with something like that then? SQL Injection probably allows to just steal the API key from the database and I think that would be much easier.
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
July 04, 2015, 06:50:54 PM
It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string.
If you always belive in realescapestring, you have in false safety.
The best way to go about it would probably be to use prepared statements, though that would take more complicated code to execute properly.
hero member
Activity: 525
Merit: 531
July 04, 2015, 06:27:28 PM
Perhaps using something similar to this:
Code:
function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}
Will solve the problem, as it escapes the string before continuing with the query.
It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string.
If you always belive in realescapestring, you have in false safety.

My goal is to check/verify the input before the sql code, and do not execute sql if it is not good (eg verifyaddress).
I have only two eyes, so if you find place where i dont check something, feel free to msg me Smiley

The hacked faucets used a modified versions from minifaucet, so we dont know the bug/sqlinject/whatever is in the original code or in the modified code. So we are just groping in the dark Sad

Did someone checked that modified code? At all, do someone have the modified code?

Elbandi
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
July 04, 2015, 04:32:33 PM
It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.
If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

For example, on core.php at line 169 (In the default script from gitlabs, looking at another faucet owner's script from this vulnerability it seems to be line 300), this function is used to run any SQL querys throughout the script:
Code:
function sql_query($sql)
{
    global $mysqli;
    return $mysqli->query($sql);
}
It literally gets the connection from config.php and runs the query. If this is as simple as it looks and there are no escape strings, this is a huge error in the script.

Perhaps using something similar to this:
Code:
function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}
Will solve the problem, as it escapes the string before continuing with the query.

Hearing thefaucetrunner talk about SQL injection made me think about this again and had me search through all of the files to try and find this function. Apologies for not finding it earlier.
legendary
Activity: 971
Merit: 1000
July 04, 2015, 04:24:07 PM
Well, the coins are coming out through Faucetbox with no probs, and myself and other faucet owners are still paying 3% fees for the service.

3% fee is for the network fees (and we're constantly lowering it as we manage to cut the network fees down). We get nothing from it, we live on ads.

I haven't sent you the script as I figured it was out of your role, I would be happy to if you want.

If you are allowed to redistribute it, send me a link to it on PM. But as I said, no guarantees and I won't find time for it in next couple days, so keep looking for someone who maybe will be able to fix that sooner.

And once again: why do you think it's a SQL Injection vulnerability? If you're correct than finding and fixing it should be fairly easy.
sr. member
Activity: 714
Merit: 250
Defend Bitcoin and its PoW: bitcoincleanup.com
July 04, 2015, 04:17:17 PM
#99
I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!
And he has no reason to help you; it is not his script. Have you tried contacting Elbandi (the creator of MiniFaucet) and seeing if he can help? He likely knows his way around the script better than anyone else due to him creating it (https://bitcointalksearch.org/topic/minifaucet-script-a-myfaucet-replacement-333748).

Well, the coins are coming out through Faucetbox with no probs, and myself and other faucet owners are still paying 3% fees for the service.

I suppose you're right, I shouldn't 'expect' it. My message was written with an air of desperation - I'm out of my depth.

@Kazuldur - Thanks. I've tried to report this to all the faucet owners involved, in an attempt to solve the issue. I think Raph has been contacted, but we are waiting to hear back. I was the first to notice this yesterday.

I am happy to chip in for a 'group fix'.  I haven't sent you the script as I figured it was out of your role, I would be happy to if you want.

legendary
Activity: 971
Merit: 1000
July 04, 2015, 04:10:36 PM
#98
I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.

You should all just get in touch with each other and either force RaphaelM to fix that (he is the one that should do it after all if you paid him for the script) or hire someone to fix that and split the cost. Or you can always use the script that's officially supported by us. Or even Microfaucet, as it's already proven to be safe.

With all of that said... Something like that hurts everyone. I'll probably look into that (but no guarantees and I think that I won't be able to look into that before 10th July) if you send me the script source. But no one sent me the code yet, so how can I possibly help?

However, just like minifrij said, I think Elbandi would be a better person to ask if it's actually based on the Minifaucet.
legendary
Activity: 2352
Merit: 1268
In Memory of Zepher
July 04, 2015, 03:57:40 PM
#97
I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!
And he has no reason to help you; it is not his script. Have you tried contacting Elbandi (the creator of MiniFaucet) and seeing if he can help? He likely knows his way around the script better than anyone else due to him creating it (https://bitcointalksearch.org/topic/minifaucet-script-a-myfaucet-replacement-333748).
legendary
Activity: 1288
Merit: 1000
July 04, 2015, 03:54:44 PM
#96
Do all these faucets use script customized by RaphaelM again?

Its same script what hi using for him faucet.

Read this: https://bitcointalksearch.org/topic/m.11504183 . Looks like there's a bug (on purpose or not) in this script. Change your script ASAP.

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

Fist, we need find who can fix it.
sr. member
Activity: 714
Merit: 250
Defend Bitcoin and its PoW: bitcoincleanup.com
July 04, 2015, 03:52:01 PM
#95
Do all these faucets use script customized by RaphaelM again?

Its same script what hi using for him faucet.

Read this: https://bitcointalksearch.org/topic/m.11504183 . Looks like there's a bug (on purpose or not) in this script. Change your script ASAP.

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!
legendary
Activity: 1288
Merit: 1000
July 04, 2015, 02:01:47 PM
#94
Problem is that Im not able to fix it my self. Im not programer. Looking trust member for this work.

Maybe you able to delete this address from your database?

I can't. Also that wouldn't help. The person that does it could just use another one.

IM just would be very glad to know that this coins going not to him. I dont care who can take this coins, I dont ask any refund or etc.. How I said I would like very happy to know that coins not going to scammer.
Jump to: