1. Strip commas from numbers
2. 4294967295 (0xFFFFFFFF hex or -1 signed int) gets interpreted as -1 ("Sorry, your lowest bid must be a positive value."). You should use unsigned integers instead of signed integers.
1. Strip commas from numbers
2. 4294967295 (0xFFFFFFFF hex or -1 signed int) gets interpreted as -1 ("Sorry, your lowest bid must be a positive value."). You should use unsigned integers instead of signed integers.
3. If I give an invalid item ID I can get sine oretty significant information disclosure
4. Based on this, I can do some path traversal. It's not initially useful, but if I start at "http://4pan-dev.com/projects/tibia-market/engine/function/", I have a base API directory to start brute-forcing file names for interesting data. There's nothing preventing me from querying these files (I can 'render' "http://4pan-dev.com/projects/tibia-market/engine/function/users.php"). If I try to change directories, I will get a 403 forbidden when the directory exists but a 404 not found when it doesn't. Writing a script to find every file in your API, and trying to DDoS/crash/exploit the site by 'rendering' the internal files becomes easy from this point.Code:Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'item_name' cannot be null' in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php:220 Stack trace: #0 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php(220): PDOStatement->execute(Array) #1 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/account.php(390): user->create_item('26', '2013', '1', 'Amera') #2 {main} thrown in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php on line 220
WreckedOriginally Posted by DarkstaR
5. I shouldn't be able to set buyout to the same price as minimum bid, it makes 0 sense.
6. THE GOLDMINE : XSS INJECTION : You do not verify the world name. By setting the world name to:
I am able to execute arbitrary javascript in the victim's browser.Code:Amera\0\n�<script>SOME JAVASCRIPT HERE</script>
In this case, I rickrolled your dumbass.
http://4pan-dev.com/projects/tibia-market/auction.phpCode:Amera\0\n�<iframe width='640' height='360' src='//www.youtube.com/embed/dQw4w9WgXcQ?feature=player_detailpage' frameborder='0' allowfullscreen></iframe>
Am I too good?
7. More information disclosure. If you give an invalid ID to view an auction, you get a pop-up that says
This is useful because now I know the name of a database table if I want to start trying to SQL inject, and I also know the database library you are using, so I can start looking for specific vulnerabilities in that software.Code:DataTables warning: table id=DataTables_Table_0 - Requested unknown parameter '1' for row 0. For more information about this error, please see http://datatables.net/tn/4
http://4pan-dev.com/projects/tibia-m...php?id=1234567
Regardless, it is bad. You are storing world names as a string field in inventory item, which is inefficient. There should be a table of world names with an integer primary key that is used to reference them from the inventory table.
Also, the BETA panel may just be BETA, but if there is a way for users to select what world their item is on, the flaw will always exist (given your current database structure).
8. Case and point, even with your string limitation fix, I can still insult you
Posting Permissions
