Joomla Gaming

The Gaming extensions for Joomla!

  • Increase font size
  • Default font size
  • Decrease font size
Home Forum
Welcome, Guest
Username Password: Remember me
Forgot your password? Forgot your username? Create an account
Forum
Main Forum
Support

MAJOR PROBLEM - EXPLOITABLE
(1 viewing) (1) Guest
If You will support, You must post a following information with Your problem.
How extension, version of Joomla.
Reply Topic
New Topic
  • Page:
  • 1
  • 2

TOPIC: MAJOR PROBLEM - EXPLOITABLE

MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1975

  • Tyisbuddha
  • OFFLINE
  • Fresh Boarder
  • Posts: 12
  • Points: 10404
So uh I have a concern

I'm currently running this JG BlackJack and JG RPS with CB & AUP

First off this is awesome ext and the reward mechanics seems to be working basically perfectly

But I have a major problem and I"m not sure its just my config or if its a problem in the ext(s)

If a user has obtained a 0 point balance after a request for a game has been sent with X Bet, X if this user accepts bet and loses the house (system) generates the points for the winner still(as needed) however never checks proper balance and allows acceptance of game even though they don't have the points to cover if they lose.


Example.

User1 loses total sum of remaining balance in 1 of the X amount of challenges already made to them.

Upon losing, User1 accepts another challenge from

User2 Challenges User1 to a game of RPS for 5 points

If User1 Wins, game was played unfairly cuz User1 wouldn't have available balance to cover loss. But still gets paid (and User2 still loses the points, kind of a hidden no harm no faul)

HOWEVER IF

If User2 wins
-the rules(system) seem to still pay out in points to User2 (according to my testing of this issue, logs the Win in AUP History too)
-the rules for checking balance of Player 1 didn't do anything if they even exist.
-ergo the balance is taken from the system ... generated. Creating potentially endless losses that would be a pain in the ass to even track.
Reply Quote

Re:MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1977

  • Tyisbuddha
  • OFFLINE
  • Fresh Boarder
  • Posts: 12
  • Points: 10404
I hope that this is just an issue caused by my ignorance
Reply Quote

Re:MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1978

  • Vanama
  • OFFLINE
  • Administrator
  • Posts: 712
  • Points: 5063069
Yes, it is true that there is no check that, but I'm going to fix this in later versions of RPS and Blackjack.
Maybe here I'll give a piece of code to insert a quick fix. I think it would not be difficult.
Like You My Extensions? Please donate.
Please vote my extensions here. Thanks!
Reply Quote

Re:MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1979

  • Tyisbuddha
  • OFFLINE
  • Fresh Boarder
  • Posts: 12
  • Points: 10404
I'd be much appreciated if you did Cuz this is already a big hit for the few users on my domain lol. Ro Sham Bo is epic LOL. People like seeing their points grow
Last Edit: 1 year, 6 months ago by Tyisbuddha.
Reply Quote

Re:MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1980

  • Vanama
  • OFFLINE
  • Administrator
  • Posts: 712
  • Points: 5063069
Here is quick fix for Blackjack. Find and replace the following code to blackjakck.class.php file.

Find

 
    if (!is_numeric($challenged) || !is_numeric($bet) ) {
      echo "<span class='alert'>".BJ_NO_ALLOWED_DATA."</span>";
    }else if (($mystats->points < $bet) && $mystats->points) {
      echo "<span class='alert'>".BJ_YOU_HAVE_NOT_POINTS." ".BJ_FOR_THIS_BET."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if ($allowbet == 0 ) {
      echo "<span class='alert'>".BJ_NOT_ALLOWED_BET."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else if ($allowedopponent == 0 ) {
      echo "<span class='alert'>".BJ_SELECTED_PLAYER_WILL_NOT_BE_CHALLENGED."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else{
 


and replace it with:

 
    $query = "SELECT sum(bet) FROM #__blackjack_games WHERE challenger = $my->id AND result=0";
    $database->setQuery($query);
    $summybets = $database->loadResult();
 
    if (!is_numeric($challenged) || !is_numeric($bet) ) {
      echo "<span class='alert'>".BJ_NO_ALLOWED_DATA."</span>";
    }else if (($mystats->points < $bet) && $mystats->points) {
      echo "<span class='alert'>".BJ_YOU_HAVE_NOT_POINTS." ".BJ_FOR_THIS_BET."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if ($allowbet == 0 ) {
      echo "<span class='alert'>".BJ_NOT_ALLOWED_BET."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else if ($allowedopponent == 0 ) {
      echo "<span class='alert'>".BJ_SELECTED_PLAYER_WILL_NOT_BE_CHALLENGED."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if (($mystats->points < $bet + $summybets) && ($bet + $summybets > 0)) {
      echo "<span class='alert'>".BJ_YOU_HAVE_NOT_POINTS." ".BJ_FOR_THIS_BET."</span>";
      blackjack::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);          
    }else{
 


Try it.
Like You My Extensions? Please donate.
Please vote my extensions here. Thanks!
Reply Quote

Re:MAJOR PROBLEM - EXPLOITABLE 1 year, 6 months ago #1981

  • Vanama
  • OFFLINE
  • Administrator
  • Posts: 712
  • Points: 5063069
For RPS open rps.class.php file and find

 
    if (!is_numeric($challenged) || !is_numeric($bet) || !is_numeric($weapon) || $weapon > 3) {
      echo "<span class='alert'>".RPS_NO_ALLOWED_DATA."</span>";
    }else if (($mystats->points < $bet) && $mystats->points) {
      echo "<span class='alert'>".RPS_YOU_HAVE_NOT_POINTS." ".RPS_FOR_THIS_BET."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if ($allowbet == 0 ) {
      echo "<span class='alert'>".RPS_NOT_ALLOWED_BET."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else if ($allowedopponent == 0 ) {
      echo "<span class='alert'>".RPS_SELECTED_PLAYER_WILL_NOT_BE_CHALLENGED."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else{
 


and replace it with

 
    $query = "SELECT sum(bet) FROM #__rps_games WHERE challenger = $my->id AND result=0";
    $database->setQuery($query);
    $summybets = $database->loadResult();
 
    if (!is_numeric($challenged) || !is_numeric($bet) || !is_numeric($weapon) || $weapon > 3) {
      echo "<span class='alert'>".RPS_NO_ALLOWED_DATA."</span>";
    }else if (($mystats->points < $bet) && $mystats->points) {
      echo "<span class='alert'>".RPS_YOU_HAVE_NOT_POINTS." ".RPS_FOR_THIS_BET."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if ($allowbet == 0 ) {
      echo "<span class='alert'>".RPS_NOT_ALLOWED_BET."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);    
    }else if ($allowedopponent == 0 ) {
      echo "<span class='alert'>".RPS_SELECTED_PLAYER_WILL_NOT_BE_CHALLENGED."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);
    }else if (($mystats->points < $bet + $summybets) && ($bet + $summybets > 0)) {
      echo "<span class='alert'>".RPS_YOU_HAVE_NOT_POINTS." ".RPS_FOR_THIS_BET."</span>";
      rps::ShowChallengeForm($Itemid, $my, $database, $config, $livesite, $mystats);      
    }else{
 
Like You My Extensions? Please donate.
Please vote my extensions here. Thanks!
Last Edit: 1 year, 6 months ago by Vanama.
Reply Quote
Reply Topic
New Topic
  • Page:
  • 1
  • 2
Forum
Main Forum
Support
Moderators: Tinker
Powered by Kunena
Time to create page: 1.16 seconds