[HTTP] Bank of Minecraft - Inter-server banking! (plz lock, discontinued)

There is a problem here. The program isn't good.

Uhhhh sorry ZudoHackz but your security here is, well… crap.

I can see the balance of everyones accounts. I can see the email address of everyones accounts. I can see the password to everyones accounts (albeit in an encrypted format - base64 is it? That's easily decryptable). I can transfer money to and from anyones account, and create money instantly (I just gave my test account the largest integer amount possible in PHP). I can give money to myself. There is no insufficient funds warning. You just leave the files sitting there on your web server, which is an Apache server with indexing enabled, so I'm easily able to browse through them. There is no use of MySQL to store anything. base64 is not a great encryption technology (it's ok). You're using PHP for this - why not use sha512! 128 characters of pure randomness.

The program won't work if you use anything other than alphanumeric characters in any of your credentials, because you don't textutils.urlEncode any of the things you send to the PHP scripts. So the account registration won't work, because you don't encode the @ symbol, or any other symbol apart from the ones that don't need encoding. You also don't ensure that the email address must have an @ in it, or any sort of formatting.

There is no spammer protection. And you allow HTTP get. So I can just keep reloading the register page on my browser and spam the account creation script.

I don't see any more features to explore in this. I can PM you a solution to all of this if you want, but I'm definitely no expert. You're probably better off asking someone who knows a lot more than me.

I like the idea of HTTP, cross server banking, but unless you understand this stuff fully, don't release it. Always assume the worst when it comes to users. Never trust any sent data. Never trust a user's intent.

P.S. There is a good thread here on password encryption and salting. Please do some googling on security.

Base64 is NOT!!! encryption.. eugh
It's used so that binary data can be transported across a text transport.
It's an ENCODING! People need to stop thinking it's encryption!

I'm amazed that it's all just HTTP, and no Sql.

Fantastic idea kid, terrible implementation.

Edit: Just had a look at the server.
Worse than I thought.

NeverCast, on 29 January 2013 - 04:29 PM said:

Base64 is NOT!!! encryption.. eugh
It's used so that binary data can be transported across a text transport.
It's an ENCODING! People need to stop thinking it's encryption!

Sorry :P/> I have no idea. Still no excuse for not using something more secure.

NeverCast, on 29 January 2013 - 04:29 PM said:

I'm amazed that it's all just HTTP, and no Sql.

As am I! SQL is not that hard to learn/implement. It took me about half an hour…

No excuse at all. Base64 is equal to plain-text. It's just a different encoding to make binary data fit in to printable chars. There is NO security from it.
Also the fact that he doesn't know how to manage his apache server to at least disable indexing, means all bad things!

Look! I'm rich!

http://bomc.hostoi.com/nevercast/balance

Thank you transaction of negative amounts!

NeverCast, on 29 January 2013 - 04:34 PM said:

No excuse at all. Base64 is equal to plain-text. It's just a different encoding to make binary data fit in to printable chars. There is NO security from it.
Also the fact that he doesn't know how to manage his apache server to at least disable indexing, means all bad things!

From looking at the domain name, I think hostoi is a sub domain of 000webhost. I'm not sure you have access to the httpd.conf in 000webhost…

NeverCast, on 29 January 2013 - 04:40 PM said:

Look! I'm rich!

http://bomc.hostoi.c...vercast/balance

Thank you transaction of negative amounts!

xD I did the same!
http://bomc.hostoi.com/Test/balance

EDIT: hehehehe. I just removed all your money. hehehehehehehehehe xD

EDIT 2: Sorry, but I think the password saving/encoding is broken. All passwords I see are just MA==, which is 0 when decoded…. And I believe if you pass 0 to PHP under HTTP get or post, I think it treats it as nil… Either his register script is broken, or people are using their web browsers to create accounts and just not supplying passwords, and the script is dumb enough to still create the accounts.

not sure what your password is :P/>
Not that I need it.

Oops I accidentally your entire balance!
I made it negative :P/>

Edit: Does your balance feel leet? :P/>

Gravity, I created mine with the password NO
And it saved it as 0

I created my account in Chrome and used the password 12345. It saved it properly, I think… When I use a decrypter on the base64, 6485140087.8 is what I get… Not sure if he used his own version of base64, or PHP's built in one is stuffed up (unlikely).

EDIT: I just created Test2, and it saved the password fine… But I used only text on Test3 account, and I used the password hai. It saved it as MA==, which is 0. I created Test4 with a combination of letters and numbers, and it also saved as 0. I think it doesn't like text.

I think he adds the shit together and then Base64's it
So it might not be as bad as we think.

Not that it matters, using negative amounts you can do a reverse transaction and passwords are irrelevant

Can you help then please? :(/>

I have no idea how to use SQL in PHP so, erm, im a fail.
And i deleted the 'Fuck' Account.

ZudoHackz, on 30 January 2013 - 06:00 AM said:

I have no idea how to use SQL in PHP so, erm, im a fail.
And i deleted the 'Fuck' Account.

I proudly take responsibility for making that.

Yessir! We can help you :)/>

This is a beta release and its gone back into development for mysql usage. Hopefully it should be better then :)/>

GravityScore, on 29 January 2013 - 03:50 PM said:

Uhhhh sorry ZudoHackz but your security here is, well… crap.

I can see the balance of everyones accounts. I can see the email address of everyones accounts. I can see the password to everyones accounts (albeit in an encrypted format - base64 is it? That's easily decryptable). I can transfer money to and from anyones account, and create money instantly (I just gave my test account the largest integer amount possible in PHP). I can give money to myself. There is no insufficient funds warning. You just leave the files sitting there on your web server, which is an Apache server with indexing enabled, so I'm easily able to browse through them. There is no use of MySQL to store anything. base64 is not a great encryption technology (it's ok). You're using PHP for this - why not use sha512! 128 characters of pure randomness.

The program won't work if you use anything other than alphanumeric characters in any of your credentials, because you don't textutils.urlEncode any of the things you send to the PHP scripts. So the account registration won't work, because you don't encode the @ symbol, or any other symbol apart from the ones that don't need encoding. You also don't ensure that the email address must have an @ in it, or any sort of formatting.

There is no spammer protection. And you allow HTTP get. So I can just keep reloading the register page on my browser and spam the account creation script.

I don't see any more features to explore in this. I can PM you a solution to all of this if you want, but I'm definitely no expert. You're probably better off asking someone who knows a lot more than me.

I like the idea of HTTP, cross server banking, but unless you understand this stuff fully, don't release it. Always assume the worst when it comes to users. Never trust any sent data. Never trust a user's intent.

P.S. There is a good thread here on password encryption and salting. Please do some googling on security.

Thanks, but the idea is you register on the program rather than the site (which is why I set up a redirect)
It is also using MySQL for user, password, email, balance storage.
The main program in the first post is very glitchy due to major changes in the PHP script.
I use 000webhost so I dont have access to the httpd.conf file (My computer is really crap, Apache - nope!)
And thanks for the urlEncode tip, I never thought about that :)/>
Ill also try and sort out @ checking (PHP or lua?)

NeverCast, on 29 January 2013 - 04:34 PM said:

No excuse at all. Base64 is equal to plain-text. It's just a different encoding to make binary data fit in to printable chars. There is NO security from it.
Also the fact that he doesn't know how to manage his apache server to at least disable indexing, means all bad things!

I do have my OWN Apache server (local) and I know exactly how to disable indexing, but i don't want or need to.
EDIT: I mean my local one, not the BoMC one.

ZudoHackz, on 01 February 2013 - 09:22 PM said:

EDIT: I mean my local one, not the BoMC one.

Which you took down…

zekesonxx, on 02 February 2013 - 05:16 AM said:

ZudoHackz, on 01 February 2013 - 09:22 PM said:

EDIT: I mean my local one, not the BoMC one.

Which you took down…

???