Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: eat shit
by
bee7
on 17/08/2014, 23:15:23 UTC
Quote from: Spoetnik on August 17, 2014, 10:24:12 PM
Quote from: bee7 on August 17, 2014, 12:47:16 PM
Quote from: Spoetnik on August 17, 2014, 05:57:34 AM
Quote from: bee7 on August 16, 2014, 11:05:01 PM
Quote from: TheCoinFinder on August 16, 2014, 11:00:51 PM
Quote from: bee7 on August 16, 2014, 10:55:57 PM

Quote from: Spoetnik on August 15, 2014, 03:57:34 PM
JPC was hacked months ago for some many millions of coins via users (not exchanges) (it was an RPC exploit vulnerable on lots of coins)
and the hacker dumped them all on exchanges tanking the price and it never recovered !

Could you please elaborate what you meant. I am asking as an another coin dev to take countermeasures if this issue actually has place.

Apparently a lot of people had their rpclisten set to a publically accessible IP address (rather than the standard and default 127.0.0.1) - further, this address was not behind any sort of NAT or firewall - and had a guessable password (presumably some default one).

I can't really call it an exploit.


Thank you
I was told already the same version of story, I just want to make sure that Spoetnik does not know something different Wink


ya what he said Wink
and i am not sure a firewall would help ..that should be looked into !
you see we're going to be exempting the miner to go online on the internet inbound and outbound right ?

also some other guy posted a way for you to check if your vulnerable by using your browser..
you you check out this topic further pages back so we don't have to repeat it all from memory Wink

and call it what you want but it must have been a big problem for so many coins to have been stolen. (i heard this affects other coins too)


Then this is not a vulnerability of a wallet software (the assumption I did as you mentioned "lots of coins"), but a question of a misconfiguration. With all due respect, could you please be more precise in the future.

Thank you.


read the changlog buddy.. why does it say "fixed bug" and they changed the code why ? because of misconfiguration ??
..gimme a break with your argumentative fucking bulllshit
quit picking at my ass.. and next time stfu and do your own homework then harassing me to do it for you.
the first reply said it was on previous pages..
you could have just shit the fuck up and went and read them instead you kept harping on me like a mouthy fucking cunt nagging and nagging Roll Eyes

Relax a bit please. I just asked what you meant and you replied that it was misconf issue. Now you say, that some fixes to the code were done. It was so difficult to say it from the very begin?

Ok, let's look what you are talking about. The only relevant change I found is in commit https://github.com/rtc29462/JackpotCoin/commit/4e0eb23dec09eeac9943ea24f56ede0d678cb16d#diff-d41d8cd98f00b204e9800998ecf8427e, file bitcoinrpc:

Code:
@@ -531,9 +531,18 @@ bool ClientAllowed(const boost::asio::ip::address& address)
 
     const string strAddress = address.to_string();
     const vector& vAllow = mapMultiArgs["-rpcallowip"];
-    BOOST_FOREACH(string strAllow, vAllow)
-        if (WildcardMatch(strAddress, strAllow))
-            return true;
+
+    //
+    // minimumn 8 characters for IP address, so, * or *.*.*.* will be ignored
+    // need to set more detail IP address with wile card
+    //
+    BOOST_FOREACH(string strAllow, vAllow) {
+        if (strAllow.length() > 7) {
+            if (WildcardMatch(strAddress, strAllow)) {
+                return true;
+            }
+        }
+    }
     return false;
 }

Is that a fix of a vulnerability??? It is a fix of stupidity of some representatives of the mankind.

The WildcardMatch function looks completely fine. Its implementation in JPC source tree is the same as the original bitcoin wallet has. Though, the bitcoin's version ClientAllowed has some ipv6 related fixes, but the rest of the code is the same as above without the "fix". So, is Gavin Andersen not aware of this "vulnerability" also?

I had no intention to offend you anyhow, I asked you to give the things their real names. Your reply was rude. Adults do not conduct themselves this way IMO.