FaucetBOX.com Discussion - page 151.

ranlo

legendary

Activity: 1988

Merit: 1007

Quote from: minifrij on July 04, 2015, 04:32:33 PM

Quote from: Kazuldur on July 04, 2015, 04:10:36 PM

It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.

If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

For example, on core.php at line 169 (In the default script from gitlabs, looking at another faucet owner's script from this vulnerability it seems to be line 300), this function is used to run any SQL querys throughout the script:

Code:

function sql_query($sql)
{
    global $mysqli;
    return $mysqli->query($sql);
}

It literally gets the connection from config.php and runs the query. If this is as simple as it looks and there are no escape strings, this is a huge error in the script.

Perhaps using something similar to this:

Code:

function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}

Will solve the problem, as it escapes the string before continuing with the query.

Hearing thefaucetrunner talk about SQL injection made me think about this again and had me search through all of the files to try and find this function. Apologies for not finding it earlier.

Even with your code changes (such as escaping strings), there are many vulnerabilities still open. I'm actually somewhat surprised something as important as dealing with people's finances (in the sense that the script has access to the wallet's funds) is even using SQLi, much less in a very unsecure method. real_escape_string only prevents a small portion of injections from being possible, and if you really want to use that route, you should fix all of them.

Dobrii

sr. member

Activity: 864

Merit: 260

Why is my faucet Satoshi disappear even when I'm not crying?

Kazuldur

legendary

Activity: 971

Merit: 1000

Quote from: paliboy on July 07, 2015, 08:24:37 AM

Quote from: paliboy on July 07, 2015, 06:34:50 AM

Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that Huh

I found the reason... it's because the iframe is sandboxed and therefore link cannot open new tabs/windows. To fix it, ScanTheBox needs to be changed from

Code:

to

Code:

That's a known issue and we did block the popups and redirection deliberately. It prevents faucets from opening annoying popups and redirecting out from the rotator. We even give a warning to faucet users about that when they're adding their faucets to the rotator.

What we plan to do is adding a button for user like "Open this faucet in new window". Such window wouldn't be sandboxed then.

paliboy

newbie

Activity: 20

Merit: 0

Quote from: paliboy on July 07, 2015, 06:34:50 AM

Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that Huh

I found the reason... it's because the iframe is sandboxed and therefore link cannot open new tabs/windows. To fix it, ScanTheBox needs to be changed from

Code:

to

Code:

paliboy

newbie

Activity: 20

Merit: 0

Hi, I noticed that clicking on banner ads inside ScanTheBox.com doesn't open the ad. Do you know how to fix or work around that Huh

Kazuldur

legendary

Activity: 971

Merit: 1000

Quote from: carlitosandres2507 on July 06, 2015, 01:30:45 PM

After how long possibly broken disappears after satoshis enter your account?

6-8 hours after first successful payout.

carlitosandres2507

newbie

Activity: 3

Merit: 0

After how long possibly broken disappears after satoshis enter your account?

Dobrii

sr. member

Activity: 864

Merit: 260

A feeling as if from my faucet steal bitcoin. And every day. It's very suspicious! I just can not explain it to you.

NeedIfFindIt

full member

Activity: 500

Merit: 100

The best way is to log all the 4 points:
- GET requests (if you have access log you already have them).
- POST requests and their parameters.
- All the claims.
- All the cashouts.

There is no way for him to escape.

Ofc. changing the API key before you restart paying is a must.

This is all I can help without a look at the code.

Edit: I think this could be a bot. Yesterday someone posted a link to my website in a forum discussing "a bot not working anymore" (probably because some faucets got dry).

Putting some randomness in the faucet functionality may complicate their lives.

Kazuldur

legendary

Activity: 971

Merit: 1000

Quote from: minifrij on July 04, 2015, 04:32:33 PM

Quote from: Kazuldur on July 04, 2015, 04:10:36 PM

It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.

If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

This hack usually results in many small-to-moderate payouts to many addresses in time smaller than the timer. I guess it could be a result of SQL Injection, but why bother with something like that then? SQL Injection probably allows to just steal the API key from the database and I think that would be much easier.

minifrij

legendary

Activity: 2352

Merit: 1268

In Memory of Zepher

Quote from: elbandi on July 04, 2015, 06:27:28 PM

It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string.
If you always belive in realescapestring, you have in false safety.

The best way to go about it would probably be to use prepared statements, though that would take more complicated code to execute properly.

elbandi

hero member

Activity: 525

Merit: 531

Quote from: minifrij on July 04, 2015, 04:32:33 PM

Perhaps using something similar to this:

Code:

function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}

Will solve the problem, as it escapes the string before continuing with the query.

It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string.
If you always belive in realescapestring, you have in false safety.

My goal is to check/verify the input before the sql code, and do not execute sql if it is not good (eg verifyaddress).
I have only two eyes, so if you find place where i dont check something, feel free to msg me

The hacked faucets used a modified versions from minifaucet, so we dont know the bug/sqlinject/whatever is in the original code or in the modified code. So we are just groping in the dark Sad

Did someone checked that modified code? At all, do someone have the modified code?

Elbandi

minifrij

legendary

Activity: 2352

Merit: 1268

In Memory of Zepher

Quote from: Kazuldur on July 04, 2015, 04:10:36 PM

It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.

If you don't mind me asking, what makes it not look like a SQL Injection vulnerability? From what I can see in the code, there is nothing to escape any of the strings before running them.

For example, on core.php at line 169 (In the default script from gitlabs, looking at another faucet owner's script from this vulnerability it seems to be line 300), this function is used to run any SQL querys throughout the script:

Code:

function sql_query($sql)
{
    global $mysqli;
    return $mysqli->query($sql);
}

It literally gets the connection from config.php and runs the query. If this is as simple as it looks and there are no escape strings, this is a huge error in the script.

Perhaps using something similar to this:

Code:

function sql_query($sql)
{
    global $mysqli;
    $sql = $mysqli->real_escape_string($sql);
    return $mysqli->query($sql);
}

Will solve the problem, as it escapes the string before continuing with the query.

Hearing thefaucetrunner talk about SQL injection made me think about this again and had me search through all of the files to try and find this function. Apologies for not finding it earlier.

Kazuldur

legendary

Activity: 971

Merit: 1000

Quote from: thefaucetrunner on July 04, 2015, 04:17:17 PM

Well, the coins are coming out through Faucetbox with no probs, and myself and other faucet owners are still paying 3% fees for the service.

3% fee is for the network fees (and we're constantly lowering it as we manage to cut the network fees down). We get nothing from it, we live on ads.

Quote from: thefaucetrunner on July 04, 2015, 04:17:17 PM

I haven't sent you the script as I figured it was out of your role, I would be happy to if you want.

If you are allowed to redistribute it, send me a link to it on PM. But as I said, no guarantees and I won't find time for it in next couple days, so keep looking for someone who maybe will be able to fix that sooner.

And once again: why do you think it's a SQL Injection vulnerability? If you're correct than finding and fixing it should be fairly easy.

thefaucetrunner

sr. member

Activity: 714

Merit: 250

Defend Bitcoin and its PoW: bitcoincleanup.com

Quote from: minifrij on July 04, 2015, 03:57:40 PM

Quote from: thefaucetrunner on July 04, 2015, 03:52:01 PM

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

And he has no reason to help you; it is not his script. Have you tried contacting Elbandi (the creator of MiniFaucet) and seeing if he can help? He likely knows his way around the script better than anyone else due to him creating it (https://bitcointalksearch.org/topic/minifaucet-script-a-myfaucet-replacement-333748).

Well, the coins are coming out through Faucetbox with no probs, and myself and other faucet owners are still paying 3% fees for the service.

I suppose you're right, I shouldn't 'expect' it. My message was written with an air of desperation - I'm out of my depth.

@Kazuldur - Thanks. I've tried to report this to all the faucet owners involved, in an attempt to solve the issue. I think Raph has been contacted, but we are waiting to hear back. I was the first to notice this yesterday.

I am happy to chip in for a 'group fix'. I haven't sent you the script as I figured it was out of your role, I would be happy to if you want.

Kazuldur

legendary

Activity: 971

Merit: 1000

Quote from: thefaucetrunner on July 04, 2015, 03:52:01 PM

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

It doesn't look at all like a SQL Injection vulnerability, I really don't think that's what causing it. Why do you thinks it's a SQL Injection? I'd say it's rather some subtle error in code that calculates the reward or handles the timer or both. Either way it's probably not trivial and would require a lot of time and effort to fully analyze. You can't expect that I'll fix every random script out there, that's just impossible. I have FaucetBOX.com, Faucet in a Box script and ScanTheBOX.com to maintain, that's engaging enough.

You should all just get in touch with each other and either force RaphaelM to fix that (he is the one that should do it after all if you paid him for the script) or hire someone to fix that and split the cost. Or you can always use the script that's officially supported by us. Or even Microfaucet, as it's already proven to be safe.

With all of that said... Something like that hurts everyone. I'll probably look into that (but no guarantees and I think that I won't be able to look into that before 10th July) if you send me the script source. But no one sent me the code yet, so how can I possibly help?

However, just like minifrij said, I think Elbandi would be a better person to ask if it's actually based on the Minifaucet.

minifrij

legendary

Activity: 2352

Merit: 1268

In Memory of Zepher

Quote from: thefaucetrunner on July 04, 2015, 03:52:01 PM

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

And he has no reason to help you; it is not his script. Have you tried contacting Elbandi (the creator of MiniFaucet) and seeing if he can help? He likely knows his way around the script better than anyone else due to him creating it (https://bitcointalksearch.org/topic/minifaucet-script-a-myfaucet-replacement-333748).

ONLYfree

legendary

Activity: 1288

Merit: 1000

Quote from: thefaucetrunner on July 04, 2015, 03:52:01 PM

Quote from: Kazuldur on July 04, 2015, 01:49:36 PM

Quote from: ONLYfree on July 04, 2015, 01:48:30 PM

Quote from: Kazuldur on July 04, 2015, 01:44:50 PM

Do all these faucets use script customized by RaphaelM again?

Its same script what hi using for him faucet.

Read this: https://bitcointalksearch.org/topic/m.11504183 . Looks like there's a bug (on purpose or not) in this script. Change your script ASAP.

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

Fist, we need find who can fix it.

thefaucetrunner

sr. member

Activity: 714

Merit: 250

Defend Bitcoin and its PoW: bitcoincleanup.com

Quote from: Kazuldur on July 04, 2015, 01:49:36 PM

Quote from: ONLYfree on July 04, 2015, 01:48:30 PM

Quote from: Kazuldur on July 04, 2015, 01:44:50 PM

Do all these faucets use script customized by RaphaelM again?

Its same script what hi using for him faucet.

Read this: https://bitcointalksearch.org/topic/m.11504183 . Looks like there's a bug (on purpose or not) in this script. Change your script ASAP.

I appreciate that you are seperating yourself from the issue, but it'd be great if you guys were more involved in helping people out.

There are a LOT of faucets affected by this. It's an SQL injection problem, this is something you could assist with I'm sure. You just don't/won't look at the script to help us out!

ONLYfree

legendary

Activity: 1288

Merit: 1000

Quote from: Kazuldur on July 04, 2015, 01:55:30 PM

Quote from: ONLYfree on July 04, 2015, 01:52:35 PM

Problem is that Im not able to fix it my self. Im not programer. Looking trust member for this work.

Maybe you able to delete this address from your database?

I can't. Also that wouldn't help. The person that does it could just use another one.

IM just would be very glad to know that this coins going not to him. I dont care who can take this coins, I dont ask any refund or etc.. How I said I would like very happy to know that coins not going to scammer.

Topic: FaucetBOX.com Discussion - page 151. (Read 237001 times)