| 7:53 am on Jul 5, 2006 (gmt 0)|
|if ($_POST['token']!= $_SESSION['token']) |
If the mail script was called remotely i.e. NOT from the website the form was residing on, the $_POST['token'] would be an empty string, as well as $_SESSION['token']... so the IF statement would evaluate as true and would be allowed.
You should therefore add at the begining:
if ($_POST['token']=="") exit; // who sent you here without a token?!?!
| 10:31 pm on Jul 5, 2006 (gmt 0)|
Someone was asking for a quick summary on how the problem could be avoided so...
The original poster complained of being "hijacked" so I assume that spammers were using their form mail script to send spam to other people.
To avoid this:
- Remove line breaks or ctype_print test everything that goes into the email header (TO, FROM, SUBJECT, etc..). preg and ereg will work but str_replace is faster.
- Run stripslashes on everything.
- The TO addy should of course never be assigned by your form.
That's it. The above will solve the problem 100%. Based on my experience with live sites at any rate. There could of course be other injection methods I'm missing but, if so, spammers aren't using them yet.
| 11:36 am on Jul 6, 2006 (gmt 0)|
|The other problem that people have mentioned (automated posting just to send you spam) can only be solved 100% with captcha. |
100% is no longer a rock solid statement.
I do not have any example but web rumors tell me that it has been broken.
Any proof around?
| 12:09 pm on Jul 6, 2006 (gmt 0)|
henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.
Another easy solution and less server intense than the Captcha is to create a random simple sum and have people enter the total in a text box. I`ve found this to be very effective indeed.
| 12:13 pm on Jul 6, 2006 (gmt 0)|
Funny I never mentionned it
this is exactly my own solution.
| 12:54 pm on Jul 6, 2006 (gmt 0)|
dreamcatcher & henry0
I'm thinking of doing exactly that ... with a twist.
instead of 'just' having mathermatical queries to answer, I am thinking of creating a table with around 150 questions / answers to 'validate' a form.
something varied so it cannot be easily bot-guessed, but easy enough for 'thick' people to know the answer - like: what day is the april's fool day
what animal is Mickey
if today was monday, what day would tomorrow be
how many dwarves was there in Snow White ...
that's 4 already ;)
would that be a good way of doing things?
| 1:07 pm on Jul 6, 2006 (gmt 0)|
Pending on your target you can make it fit your customers/viewers profile
for ex: targeting home/garden: Is crab-grass a seafood or a grass nuisance?
If your users are very diversified it could be seen as an extra step
| 3:00 pm on Jul 6, 2006 (gmt 0)|
>> I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good.
yeah captcha will still do the job and yes it has been cracked, I believe I saw the code actually, was a while ago
| 5:37 pm on Jul 6, 2006 (gmt 0)|
|I do not have any example but web rumors tell me that it has been broken. |
|henry0, I`ve also heard rumours about the captcha not being as effective as it was, although from my own personal experience I`ve always found it pretty good. |
|yeah captcha will still do the job and yes it has been cracked |
Captcha should just be one part of the defense:
Source [captcha.net] (see "Advancing AI")
|Several groups have created programs that can pass many CAPTCHAs over 80% of the time. |
Everyone considering the use of a captcha solution should also be aware of the accessibility problems [webmasterworld.com] they may cause.
| 10:45 pm on Jul 6, 2006 (gmt 0)|
|100% is no longer a rock solid statement. |
I do not have any example but web rumors tell me that it (CAPTCHA) has been broken.
To clear up the misconception... CAPTCHA is not a thing, it's a blanket classification for a concept.
It's not possible to say "CAPTCHA has been broken!" Hehe.
Any system where you attempt to tell humans and computers apart by challenging them with some kind of interactive test is a CAPTCHA as long is it's entirely automated on your side.
Asking a math (or other type of) question is as much a CAPTCHA as distorted numbers and letters. There are endless varieties of CAPTCHA type tests.
As far as traditional image type CAPTCHAs go... The capability to write a program that can parse and interpret a graphic has been around since before the web. In that sense CAPTCHA was broken long before the acronym was coined.
If you're clever, you can write a program to break a single CAPTCHA scheme. However, that program will only break that one CAPTCHA scheme and it will have taken you a lot of time and effort to write it.
There is no program in existence that could spider the web and just break any CAPTCHA it found. There are just too many variations. The best you could do would be to create a program that can break some popular CAPTCHA implementation where a lot of webmasters have used the same code. If you were ambitious you could perhaps write something that would handle small variations (it might break all number/letter type CAPTCHAs where single color text on a single color background was used and the only obfuscation method involved warping).
Having accomplished this you would (maybe) pull off breaking 5% of the CAPTCHAs encountered, and that's probably way too high a number.
Someone posted about groups claiming to break "many" CAPTCHA systems with 80% success. What that means is that they have an app that can pass a very weak type of CAPTCHA implementation and even then still fails 20% of the time.
If a spammer did take the huge amount of time to write the above program, the weak CAPTCHA systems it was able to break would quickly change to something else and the spammer would be back to square one.
Basically, it's still safe to say that you can stop automated posting 100% with a creative CAPTCHA. :-)
| 6:29 pm on Jul 11, 2006 (gmt 0)|
Has anyone ever experimented with mod_rewrite.. RewriteCond to combat this issue?
I haven't played around with it yet but it would be like passing a security variable through _$GET (graphic, math question, etc. like mentioned) back to the posting page and using a mod_rewrite RewriteCond to validate the URL.
Throwing 404 errors would cause bots to drop the originating URL and you wouldn't bother visitors so much.
| This 41 message thread spans 2 pages: < < 41 ( 1  ) |