Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Announcements (Altcoins)
Re: eat shit
by
Dotcommie
on 18/08/2014, 01:26:37 UTC
Quote from: bee7 on August 17, 2014, 11:15:23 PM


Relax a bit please. I just asked what you meant and you replied that it was misconf issue. Now you say, that some fixes to the code were done. It was so difficult to say it from the very begin?

Ok, let's look what you are talking about. The only relevant change I found is in commit https://github.com/rtc29462/JackpotCoin/commit/4e0eb23dec09eeac9943ea24f56ede0d678cb16d#diff-d41d8cd98f00b204e9800998ecf8427e, file bitcoinrpc:

Code:
@@ -531,9 +531,18 @@ bool ClientAllowed(const boost::asio::ip::address& address)
 
     const string strAddress = address.to_string();
     const vector& vAllow = mapMultiArgs["-rpcallowip"];
-    BOOST_FOREACH(string strAllow, vAllow)
-        if (WildcardMatch(strAddress, strAllow))
-            return true;
+
+    //
+    // minimumn 8 characters for IP address, so, * or *.*.*.* will be ignored
+    // need to set more detail IP address with wile card
+    //
+    BOOST_FOREACH(string strAllow, vAllow) {
+        if (strAllow.length() > 7) {
+            if (WildcardMatch(strAddress, strAllow)) {
+                return true;
+            }
+        }
+    }
     return false;
 }

Is that a fix of a vulnerability??? It is a fix of stupidity of some representatives of the mankind.

The WildcardMatch function looks completely fine. Its implementation in JPC source tree is the same as the original bitcoin wallet has. Though, the bitcoin's version ClientAllowed has some ipv6 related fixes, but the rest of the code is the same as above without the "fix". So, is Gavin Andersen not aware of this "vulnerability" also?

I had no intention to offend you anyhow, I asked you to give the things their real names. Your reply was rude. Adults do not conduct themselves this way IMO.


Don't worry about it.  Any wallet that used just a * for the allowip in the conf file could be affected the same way.  I heard the difference is that since the coin was big in Korea and a lot may be running an outdated OS or not running a firewall, it was just easier to get in and initiate a command that sent the balance wherever they wanted.  Definitely not a code issue, more of a security issue.  I remember when the coin launched the example conf file had just the wildcard *.  Not sure if it was in the OP or right after it, but yeah, it won't allow you to just use that anymore so it would be a lot harder. Somebody could still get onto your network and if they know what ips you're allowing, they could do the same thing as far as i know.