| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Jun 2011 23:17:49 -0500 From: Doug Huff <dhuff@...obdobbs.org> To: full-disclosure@...ts.grok.org.uk, Bitcoin Dev Development <bitcoin-development@...ts.sourceforge.net>, Bitcoin <bitcoin-list@...ts.sourceforge.net>, "Mt.Gox" <info@...ox.com> Subject: More plausible mtgox.com post-mortem (Bitcoin fun week!) I have two independent sources claiming known SQLi vulnerabilities in MtGox. One of said SQLi vulnerabilties was confirmed to be patched on the 16th. The other was not patched, to anyone's knowledge, at the time of the market crash and database leak. The one that was not patched could have plausibly been used to dump the user table. The details follow in these chat logs. POC for the referenced xss+csrf is also provided. Whether or not it is still an issue is not known for sure at this time as the site cannot be accessed. It has also been found that MtGox exposes it's admin user interface even if a user does not have the admin flag set on their account. As of now it is thought that most actions attempted to be used will throw permission errors. Once again. This cannot be confirmed at this time. https://mtgox.com/app/webroot/code/admin MagicalTux, now that your claim "The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked." Please respond. The truth this time. MagicalTux's official response at the time of this writing is also attached. It is available at: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback These logs are not modified except for user's hostmasks at their request due to MagicalTux's new found policy of committing libel against his users based on login logs, since he apparently doesn't keep order book logs for orders that go through immediately, by his own admission. Classy. Mirrors: http://privatepaste.com/93e8a9cd64 (#bitcoin-hax log) http://privatepaste.com/47a50cab5b (sig) http://www.mediafire.com/?m7o4z3oz9nyd3v3 (#bitcoin-hax log) http://www.mediafire.com/?nzcpa5mwpw9ccbb (sig) http://privatepaste.com/e4bacfae37 (PovAddict log) http://privatepaste.com/9dc5daf8a0 (sig) http://www.mediafire.com/?bflr76anvv835ib (PovAddict log) http://www.mediafire.com/?rl250c2dahw7dx9 (sig) http://privatepaste.com/6dad3927d6 (XSS + CSRF) http://privatepaste.com/45e5aa0d30 (sig) http://www.mediafire.com/?synt5sjcbkl9zvq (XSS + CSRF) http://www.mediafire.com/?uv7be34198pseoo (sig) Download attachment "#bitcoin-hax_20110620.log" of type "application/octet-stream" (16812 bytes) Download attachment "#bitcoin-hax_20110620.log.asc" of type "application/octet-stream" (10582 bytes) View attachment "magicaltux-response.txt" of type "text/plain" (4547 bytes) View attachment "mtgox-ss.txt" of type "text/plain" (907 bytes) Download attachment "mtgox-ss.txt.asc" of type "application/octet-stream" (1535 bytes) Download attachment "PovAddict_20110620.log" of type "application/octet-stream" (2189 bytes) Download attachment "PovAddict_20110620.log.asc" of type "application/octet-stream" (2542 bytes) -- Douglas Huff Download attachment "smime.p7s" of type "application/pkcs7-signature" (3737 bytes) Download attachment "PGP.sig" of type "application/pgp-signature" (882 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists