captcha security

Worker Joined: Aug 05, 2005 Posts: 139

many phpnuke contain security issues one of my sites has over 7000 its just my linux support site, but i having one issue with spambots becuase you can bypass the nuke security code.

i have tried many ways even altering the gfx functions to warp the security image.

only thing that i can see that the whole function should be replaced.

i been looking into phpclasses site and came accross

this

http://hn273.users.phpclasses.org/browse/package/1569.html

but are there going to be platform issues becuase it imports ttf fonts and builds jpg or png images from them and then displayed as a graphic box.

i dont have linux desktop box to test as its only console based linux or have no access to another pc that can test this.

would you say this would fix any nuke securitys in nuke.

would it stops bots and prevent them for registration by using this or has anyone had any luck with captcha with phpnuke as nuke has not changed much at all since thatware.

only people have changed it so much is postnuke and xoops where fb still has not done any major changes over thatware

many thanks

steve

Posted: Thu Mar 09, 2006 7:37 pm

I'm not aware of any bots that can read the standard security image but I shouldn't think its beyond a simple brute force attack if you only have a limited number of alph-numeric combinations.
I would be more concerned if they were bypassing the activation link.

Posted: Thu Mar 09, 2006 8:47 pm

It can be done that security code i tested it myself and made me relise how easy the securety code is for example.

you can bypass the confirmation code first you check the how many digits.

then the confirm code

like if you a 6 digit code type something like
index.php?gfx=gfx&random_num=123456

then view prperties of the image say 770471 thats your confirmation code

then make a simple html to post and reg and what you got is a simple script, you can modify this under perl or cgi and mass spam sites

just a thought

there many sites now who brought this up also i managed something basic using the build in php functions i just going to see how i can make fonts that are more universal like a image based map or something like games use for example.

then with hardly any major code edits we can have uncrackable code untill someone finds something but that be a while and many people would have to be using it.

best part tested it under firefox, ie6, ie7, and opera and all works fine i sure it work under other os like linux and mac as well just unable to test this atm i post up some code changes tomorrow once i finished still early code.

if its good enough i speak to fb this week and try and get him to use it Smile

thanks

steve

Posted: Thu Mar 09, 2006 9:18 pm

Quote:

would you say this would fix any nuke securitys in nuke.

I hope so.

Last year there was an interesting discussion about captchas in nuke and I´m still interested because I know there are very intelligent bots.
.I saw only a few phpnuke websites with captchas in the past. If you need tester let me know.It's worth the trouble.

registered · Posted: Fri Mar 10, 2006 8:39 am

Aye the security code is not going to stop someone from reading it once, and then using it multiple times per day. It is a flaw from concept.

If that class works as a one-use only, it would definitely help getting it into phpNuke.

(I have tried some OCR software to break the security code. But no luck so far. Need something more complicated to remove the lined backgrounds. Changing fonts, colors, background would definitely help to stop OCR to read it)

Involved Joined: Oct 09, 2004 Posts: 293

In general, I find sites with security code a pain, espec if I didnt have my glasses on, and or they have set the auto logged on to only a couple days.
From the end user (visitor/member) piont of veiw it has a tendency to put ppl off.
Maybe a rethink of the whole concept/method??
I dont have any ideas

Worker Joined: Nov 22, 2004 Posts: 208 Location: Italy

I agree with Steptoe,
My site has a very wide audience (grammas seeking for Birthday cakes recipes for the grandson housewifes, chefs etc..) and most likely they cant read the code, or completely forget to type it in...
I'm also clueless for a different solution tho!
Guido

Posted: Fri Mar 10, 2006 1:46 pm

Why dont we use a 128bit PGP key instead.

Posted: Fri Mar 10, 2006 2:58 pm

yea i like those idears ok i phpnuke 7.9 for testing so you can see and i will post all the code chages on the front page as well as here was budy last night with work i start on it tonight Smile

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I had a very nice one working - see Only registered users can see links on this board! Get registered or login! , but then M$ had a security issue and, as usual, rather than fix the exact cause, they threw the baby out with the bath water and broke IE permanently.

Posted: Sat Mar 11, 2006 8:54 am

captcha sucks, for example go look at it when you're (color)blind Smile

Cookie/Session will not work either since you just write a smarter script to post spam.

The only way to prevent spam is by adding a check system that validates $_POST data based on the http:// and [url] stuff that is put in the $_POST values.