I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.
We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.
yes we tested. attacker was in and out of the server fucking with the trade engine code. it took us a while to catch on that someone was changing our code besides us.
lessons learned:
hire a server admin
don't use mysql functions and real escape string.
i found a tutorial on devshed that teaches how to use pdo. i've been practicing all morning and i can't believe its so easy. we'll be back as soon as we've addressed the issues with the server and fixed the flaws in the application. though your intent was to humiliate, i thank you for being blatantly honest. you're helping make openex better though you're trying to fud it to death.