Silk Road forums
Discussion => Silk Road discussion => Topic started by: imyourepusher on October 08, 2013, 07:05 pm
-
Just wanted to share this quote from imakechili
Hey guys,
Just spend about 10 mins poking around BMR and Sheep to see what I could find.
Both of them leak info through their headers and HTML source. Sheep is running on Apache 2.2.22, using Ubuntu (see the headers on any page, the gallery forums and website are running off the same server and based on the sessid are part of the same application), with an X-Powered-By value of "Nette Framework", an open source PHP framework. Also they're setting a server side session ID (y no encrypted client side?!?!) for this framework. Unfortunately the framework seems to be resilient to the basic skiddie traditional attacks that I tried, but if I were a fed seriously looking for a vulnerability I know where I'd start. (cough Nette Framework Github).
BMR leaks less, but you can tell both the site and forums are running PHP. I'm not sure if it's the same server, but the timestamps are synchronized to within .5 seconds if it's not, which is possible but hints at them being on the same or a similarly configured box. You can also tell that at the very least the forums are running off PHP package 5.3.10-1ubuntu3.8 (attack vector!) and the forums are using the PunBB software (attack vector!).
Something to ponder when sending in your bitcoins, eh?
-
They use server side sessions for many reasons, client side sessions are pretty insecure (session hijacking for example). I have been developing web applications professionally for 15+ years and as a hobby even longer. I am very good with security, i have gone through BMR and have found nothing. Sheep has some CSRF vulnerabilities but those are not detrimental. BMR has no vulnerabilities i can see. showing the web server type is not a vuln by any means. BMR is being upgraded, tehy were under the radar and are fixing a ton of things. BMR is the main place to go. Deepbay is even worse, i checked them out and holy SHIT they are loaded with possible vulnerabilities. As i said possible just based on their setup. Understand that most people have learned not to store large amounts of BTC on their market wallets, i know i will be moving out all coins released from escrow ASAP and buyers should only put in what they need to make a purchase. Why are all you people spreading lies about BMR, its a great place and has been around forever, not as flashy as sheep but it is 100% solid. You are right that sheep is insecure, but BMR has nothing, it uses no open source documents, yes it uses PHP but is most likely MYSQLI databases, unlink SR which from my understanding was mysql only. BMR seems to be far more secure then SR. And i am sure wallets are encrypted and backed up so a hack would do nothing, especially if the server is in a VM unless the attacker gains remote access.
-
If you know so many, can you tel me whats going on at the log in page of bmr now?? ???
-
great posts
good to have you guys on our team :)
keep up the good work :)
-
Thank you for that... Neither of these technical flaws will negate the human aspect of the operators of these sites feeling the heat after the Silk Road's downfall, and maybe running of with everything if they think the hunt is one for them. I know the potential commission to be made is enormous, especially if TOR and other security aspects are worked out in spite of the NSA and the United States of Fascism. When the U.S. Federal gov't is after you, they will not stop until they get their man. Once you're under their crosshairs they will never leave you be.
-
Yes i can, the updates are still in progess, if you are not familiar with how server updates work then during an upgrade things are usually run under a new v host or a new VM. if it is a new VM only 10% or so of CPU/memory usage is usually dedicated to that VM. Backopy is getting things ready to handle 50% of silk roads traffic. Server is overloaded still. It will be back to normal within 24 hours im sure. Everything works fine for most vendors over there and everything seems to be in place. The server is just overloaded like what happened for the first YEAR of SR. Its better to do this now then when it is too late and everything bottlenecks. It will be ok, patience is key. would you guys rather have everything fixed now? or fixed once it crashes when 100s of orders are in escrow with even more coins in your account?