Bug Prevent multiple sending donate in realtime

[Tuan Sh]

Hi guys,

VBCredit has a big exploit that every user can cheat easily. Just when the credit popup open, and click repeatly as fast as you can to the submit button (of course after you enter the amount of donate to this user), the engine did not provide a policy to prevent that just like prevent multiple submit. And the credit point of the sender can be a negative number, and the credit point of the receiver, sadly enough, can be exactly the total amount of the donate amount multiply with the number of the click (usually 2-4).

I try to add a little javascript to this submit button (onclick="this.disabled=true) to prevent multiple submit, but I think it's not a good solution. Anyone can use Chrome or FF Firebug to edit and delete my onclick code easily.

So it belongs to the DBT team to fix it from the core engine.

Thanks.

 

[Darkwaltz4]

Thanks - I can confirm this is possible and a bad bug. At least it does deduct for each click you manage to get in there ill come up with something...

---------- Post added at 12:09 ---------- Previous post was at 11:40 ----------

This fixes it. In credits.php find

    VBCREDITS::shutdown();
    exit;

replace with

    if (!$flooding = $db->query_first("SELECT transactionid FROM " . TABLE_PREFIX . "credits_transaction WHERE actionid = '" . $db->escape_string($vbulletin->GPC['actionid']) . "' AND userid = " . $vbulletin->userinfo['userid'] . " AND timestamp >= " . (TIMENOW - 5) . " LIMIT 1")) VBCREDITS::shutdown();
    exit;

that will cause it to ignore any clicks for the same thing made within 5 seconds. i figure thats enough time to give your server to respond vs how quickly someone can possibly send another donation to someone else. the screen will still say success multiple times - but only the first will actually get through