New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS, SQL Injection and logic problem in banksend.htm #5

Closed
Ali-Albakara opened this Issue Sep 19, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@Ali-Albakara

Ali-Albakara commented Sep 19, 2017

$RecUser=$_POST['recvusername']; -- Not sanitized, used in a query later, used in a message later. SQL Injection & XSS.
$details .= $_POST['details']; -- XSS, used in the message later.

Logic problem:
To deduce the amount the hacker is sending to another hacker, the amount is being multiplied by -1, so if he's sending 5000, the game treats it as if its -5000. What happens if the original amount I sent is -5000 and it gets multiplied by -1? It turns into a positive integer (5000) and I gain free cash.

@Ali-Albakara

This comment has been minimized.

Show comment
Hide comment
@Ali-Albakara

Ali-Albakara Sep 19, 2017

Applied to clanbanksend.htm as well.

Ali-Albakara commented Sep 19, 2017

Applied to clanbanksend.htm as well.

@Eleix

This comment has been minimized.

Show comment
Hide comment
@Eleix

Eleix Sep 19, 2017

Owner

Just tested this out myself and wow, That is a huge logic error. Thanks for the find. I'll push a fix in the next few hours once I get back.

Also thanks for finding issues #4 and #6. I felt that the code to them seemed a bit off but not as bad as a SQL injection. Grateful for the find. 👍

Owner

Eleix commented Sep 19, 2017

Just tested this out myself and wow, That is a huge logic error. Thanks for the find. I'll push a fix in the next few hours once I get back.

Also thanks for finding issues #4 and #6. I felt that the code to them seemed a bit off but not as bad as a SQL injection. Grateful for the find. 👍

@Eleix Eleix added the bug label Sep 19, 2017

@Eleix Eleix self-assigned this Sep 19, 2017

@Eleix

This comment has been minimized.

Show comment
Hide comment
@Eleix

Eleix Sep 20, 2017

Owner

Status Update: Fixed in dev code (Pending Push)

Owner

Eleix commented Sep 20, 2017

Status Update: Fixed in dev code (Pending Push)

@Eleix Eleix closed this in 9da5c23 Sep 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment