Pages:
Author

Topic: 🎄 FaucetSystem.com / CryptoBara.com 🎄 - page 15. (Read 38067 times)

sr. member
Activity: 322
Merit: 250
November 18, 2016, 01:54:52 PM
#51
 i wanna try , help me
member
Activity: 127
Merit: 10
November 18, 2016, 01:51:14 PM
#50
Code:
Owner of this faucet set a send limit, which was exceeded. Try again in 30 minutes.
Try now.
+100k to balance
legendary
Activity: 1582
Merit: 1031
November 18, 2016, 11:31:34 AM
#49
now i changed all faucetbox teyt to faucetsystem !
but when i try to withdraw i get :

Code:
Owner of this faucet set a send limit, which was exceeded. Try again in 30 minutes.



but i set all limits to  0 !!!







kind regards
member
Activity: 127
Merit: 10
November 18, 2016, 07:42:31 AM
#48
@Cassielvandisse, check PM.

Some people think that current settings of Antibot is a very aggressive. Soon for every faucet:
sr. member
Activity: 361
Merit: 250
November 18, 2016, 03:07:32 AM
#47
Please add my faucet
http://mmsatoshicoin.ml/
into your faucet list .
Thanks .  Smiley
member
Activity: 127
Merit: 10
November 18, 2016, 01:38:13 AM
#46
many transactions confrimations your sstem needs to show up my deposit in balance Huh
Now - 6.
And minimum deposit - 75 000 sat.

I have claimed four times now. The first didn't work, the second didn't add anything, and the other two appear to have worked.
Are you never turn off your computer?
sr. member
Activity: 272
Merit: 250
November 17, 2016, 08:57:22 PM
#45


I have claimed four times now. The first didn't work, the second didn't add anything, and the other two appear to have worked.

It takes about 4 hours for me after depositing .  Grin
Just started using with faucetsystem yesterday .
Here is my faucet

http://mmsatoshicoin.ml/

Your faucet appears to be working.
sr. member
Activity: 361
Merit: 250
November 17, 2016, 07:03:48 PM
#44
It takes about 4 hours for me after depositing .  Grin
Just started using with faucetsystem yesterday .
Here is my faucet

http://mmsatoshicoin.ml/
legendary
Activity: 1582
Merit: 1031
November 17, 2016, 05:24:42 PM
#43
wow ok how Huh
 many transactions confrimations your sstem needs to show up my deposit in balance Huh


yust made a deposit to test service ......takse long time to test you XD


legendary
Activity: 971
Merit: 1000
November 17, 2016, 02:33:54 PM
#42
Hi FaucetSystem,

Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.

They use the same as FaucetBOX.com.
full member
Activity: 210
Merit: 100
★Spacey The Bird★ Android Game , Bitco
November 17, 2016, 02:29:42 PM
#41
Hi FaucetSystem,

Do we have your API links, where I can make HTTP post requests to make payments?
FaucetBox did have those.. In the dashboard I only see my API key no links or docs on API endpoints.
hero member
Activity: 718
Merit: 500
November 17, 2016, 01:23:12 PM
#40
Well.. i think that it's a good idea to report vulnerabilities but not publish the technical details to everyone..
People with working faucet bots don't come here and share their code right? (Or if they do they'll get deleted ass soon as mod find it)

my opinion
 

hero member
Activity: 882
Merit: 976
November 17, 2016, 01:10:39 PM
#39
There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:
            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.



Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..


It's not a bad idea, as long as the security flaw gets fixed. I, for one, love the transparency that Kaz is providing. It's rare to get support from such an expert, especially for free.

For now, it just means that the transparency shows that there are security flaws with FaucetSystem. Good to know so early on.
legendary
Activity: 971
Merit: 1000
November 17, 2016, 01:10:29 PM
#38
row 160
Code:
 \Session::set('lc', md5(Secure::getRandomString(10)));
Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.

I'm not convinced. That covers your "Logical captcha". What if owner disabled it and is only using reCaptcha/SolveMedia?



Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..

It's too early for it to have a big impact (it was released just a few hours ago) and these are so obvious that people have to be aware that there are serious security issues with FaucetSystem.com right now. And I also think it's good to show that the admin is open for reports and fixes them quickly. It's a good PR if he handles it correctly Smiley
hero member
Activity: 718
Merit: 500
November 17, 2016, 01:07:27 PM
#37
There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:
            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.



Please please please report security stuff in PRIVATE msg to dev please.. I don't think posting this here  is a good idea..
member
Activity: 127
Merit: 10
November 17, 2016, 11:59:12 AM
#36
row 160
Code:
 \Session::set('lc', md5(Secure::getRandomString(10)));
Its string erase answer. You can load postClaimThird with correct answer only one time. If you need receive a new correct answer - u need load postClaimSecond.
Receiving ip address is painful issue.
legendary
Activity: 971
Merit: 1000
November 17, 2016, 11:29:30 AM
#35
One more thing (sorry for spam).

I've checked the postClaimThird method in Guest controller, and it seems that you don't check if captcha was actually correctly solved in postClaimSecond. You don't store it in session anywhere and you don't check it in postClaimThird. That means that I can just record what request is made on postClaimThird and then send requests directly to it, skipping the postClaimSecond part. Combine that with blindly trusting user headers and I can:

1. bypass captcha
2. bypass timer (by changing to fake IP addresses)
3. bypass your antibot (by changing to fake IP addresses)

I didn't test it though, so I may missed some protection, but you should take a look at this.

EDIT: maybe focus on security, not features for now Smiley
legendary
Activity: 971
Merit: 1000
November 17, 2016, 11:14:31 AM
#34
There's a vulnerability in your handling of IP addresses.

The Ip::get() looks like this:

Code:
            foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_REAL_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
                if (array_key_exists($key, $_SERVER) === true){
                    foreach (explode(',', $_SERVER[$key]) as $ip){
                        $ip = trim($ip); // just to be safe
                        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false){
                            if($_SERVER['SERVER_ADDR']<>$ip){
                                return $ip;
                            }
                        }
                    }
                }
            }
        return '127.0.0.1';

You're blindly trusting headers sent by user. So I can for example do:

Code:
curl --header "Client-IP: 8.8.8.8" http://somefaucet/ ...

And your script will think that the request came from IP address 8.8.8.8. Repeat that with changing the IP address and I can bypass your antibot system and your timer.

Please please please buy a professional audit of all your code. If I can find such big issues in 5 minutes, people that really want to steal something will find many more.



Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Yes. It's a first phase.
Second: adding statistical analysis.

Thanks, we'll add it when integrating in Faucet in a BOX.
member
Activity: 127
Merit: 10
November 17, 2016, 11:13:47 AM
#33
Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Yes. It's a first phase.
Second: adding statistical analysis.
legendary
Activity: 971
Merit: 1000
November 17, 2016, 11:08:21 AM
#32
Is adding the "ip" parameter on send is the only thing required to integrate with your AntibotInside?
Pages:
Jump to: