1 sam2kb Apr 30, 2009 18:26
3 sam2kb Apr 30, 2009 18:54
Great, a dumb script fails on developer's blog, but what about others? :roll:
The only way to stop autoreg spam for regular users is [url=http://plugins.b2evolution.net/index.php?s=captcha]Captcha[/url]. Turing Test plugin will fail if I add another GET var with the answer word.
4 yabba Apr 30, 2009 19:10
I'd actually rate turing above captcha ;)
¥
5 sam2kb Apr 30, 2009 19:12
¥åßßå wrote:
I'd actually rate turing above captcha ;)
What about another GET var with the answer word ?
6 yabba Apr 30, 2009 19:14
After you know the word ;)
Hell of a lot of captcha crackers out there huh? ;)
¥
7 sam2kb Apr 30, 2009 19:23
Trust me a malicious user will know the answer before playing with a target site.
Hell of a lot of captcha crackers out there huh?
Right, that means b2evo should set a time limit like it does on comments form ;)
I didn't check the comments form yet, I hope it doesn't rely on cookies... but uses IP + user agent instead
8 yabba Apr 30, 2009 19:25
A malicious user would use a system that could attack more than one site with the same resource usage ;)
it does ;)
¥
9 edb Apr 30, 2009 19:31
sam2kb wrote:
... Turing Test plugin will fail if I add another GET var with the answer word.
Please explain. Meaning do I have to fix something? Meaning AFTER I fix the bloody hell known as "cat_urlname must be unique and doesn't auto-generate something and is the most abysmal piece of crap to infest the world of categories since 230 and therefore won't ever be fixed officially".
Seriously: is there some sort of security risk with TT or is it a conflict of plugins you're on?
10 sam2kb Apr 30, 2009 19:35
EdB wrote:
sam2kb wrote:
... Turing Test plugin will fail if I add another GET var with the answer word.
Please explain. Meaning do I have to fix something? Meaning AFTER I fix the bloody hell known as "cat_urlname must be unique and doesn't auto-generate something and is the most abysmal piece of crap to infest the world of categories since 230 and therefore won't ever be fixed officially".
Seriously: is there some sort of security risk with TT or is it a conflict of plugins you're on?
In your case after adding &answer_turing_test=grass in URL a malicious user will successfully pass the TT
11 sam2kb Apr 30, 2009 19:37
My opinion is an antispam plugin MUST generate random questions/answers each time it displays.
12 yabba Apr 30, 2009 19:38
EdB wrote:
sam2kb wrote:
... Turing Test plugin will fail if I add another GET var with the answer word.
Please explain. Meaning do I have to fix something??
No ;)
I'm sure there's a function for generating unique cat urls based on the name ... no idea why it's never been used when you create a category ... /install/upgrade_stuff.file.php may help you ;)
¥
13 yabba Apr 30, 2009 19:39
sam2kb wrote:
My opinion is an antispam plugin MUST generate random questions/answers each time it displays.
My opinion is, never make a human jump through a hoop ;)
¥
14 edb Apr 30, 2009 20:02
sam2kb wrote:
In your case after adding &answer_turing_test=grass in URL a malicious user will successfully pass the TT
I really doubt that given that Turing Test doesn't use _GET to get stuff. I suppose someone who knows how to auto-inject all the appropriate fields in a comment (stuff that isn't visible in the address bar - right?) would be able to auto-inject the answer to the question, but that supposes that the answer is always the same on all installations. Sadly (for the malicious spammer) it won't work at all on most of the installations that use Turing Test because most don't have that answer ;) Plus if I ever happened to get spam that seemed auto-generated all I have to do is change the question and answer. Suddenly real humans will already have credit and the spammer's program will be junk.
Having said that, I've given some thought to how lazy people are and considered a plethora of 'stock' questions and answers, with a random picker selecting the three that any given user would see upon installation. Heck I'm pretty sure *I* have the stock questions so when spammers start focusing on "b2evo + TT" I'll know it ... and be in a pretty good position to do something about it :)
Anyway piss on "jump through the same damned hoop every damned time". That is the single most offensive part of CAPTCHAs: no matter how many times you "prove" you're a human you still have to jump through the same hoop again and again and again. Imagine if this forum made you validate your email every time you went to post just because MAYBE something bad was happening. Doh! For those who enable trackbacks, the short-lived secret code that makes a trackback address workable is pretty cool given that the other side has to copy/paste something anyway. But to actually force a real human being to repeatedly pass some stupid test that sooner or later a smart person will automagically bypass is pointless.
On the completely unrelated topic, I'm going to beat it with a sledge hammer because that's all I know how to do. First it will always call itself 'autogenerate', then after it inserts that into the table it will update the table with "cNNN" where NNN is the category ID number, and it won't cry when a cat urlname happens to be in the format IT automagically generated when I upgraded to v230 so long ago. 2 files. But first I should look through the install folder even though if I don't I can say "this time Yabba didn't help (because I didn't listen)".
15 sam2kb May 01, 2009 08:16
I really doubt that given that Turing Test doesn't use _GET to get stuff.
Sorry, you're right about it, I thought the plugin uses param() instead of $_POST[] . Unfortunately this doesn't mean anything because it's very easy to imitate form's POST request.
Let me spam your TT post :)
16 sam2kb May 01, 2009 08:26
Here's a simple script malicious users may use to spam b2evo.
Feel free to delete it, but you don't have to be a bloody hacker to create such script, I'm just trying to tell that b2evo is not protected from auto registration attacks.
<?php
I deleted the code
?>
17 edb May 01, 2009 09:13
Pretty damned childish don't you think? Not a worry: I've dealt with script kiddies from the forum before. Trust me on this okay? You are NOT the first.
Do you honestly think there is ANYTHING that can stop someone from specifically targeting a specific domain? I don't. I'm not naive is the thing. Perhaps you've a different opinion on that? Now then: try that same exact script on all the b2evolution installations out there that use TuringTest. In fact, if I ever lift the ban on your IP I'll change the question and answer and you can try it on mine. BUT try it like a real spammer would: blind. That means no cheating to see what the answer is okay?
I'm not going to delete your post. If I was going to do that I'd have deleted your nonsense about a virus that turned out to be a stupid blog owner. OTOH I'm not going to consider you an adult either. Rather, I'll accept that you are so deep in the "core philosphy" that you consider spamming an acceptable thing to brag about.
Have fun, EdB
18 sam2kb May 01, 2009 09:35
Do you honestly think there is ANYTHING that can stop someone from specifically targeting a specific domain?
Yes! The timeout on registration form.
This is a [u]feature request[/u], and I'm not saying that "this plugin is good and that is bad". I'm just saying that b2evo has strong protection on one side and poor on another. Turning the existing 'timeout code' into registration timeout will take only a few minutes.
See of the of way it of goes is of that if an actual of human of being of wants to of spam a of blog NOTHING of will of stop of them. Except an IP of block - of course.
You banned my IP... I hope you feel better now... do you really think I was going to spam all your posts... :-/
ps. babelfish added all those "of"
19 yabba May 01, 2009 18:33
Damn, how to watch a feature request backfire huh? ;)
EdB wrote:
Do you honestly think there is ANYTHING that can stop someone from specifically targeting a specific domain? I don't.
100% agreed, and I have some pretty funky protection :D
sam2kb wrote:
I'm not saying that "this plugin is good and that is bad".
I feel your pain but, could I possibly suggest, next time create a demo install and then post code that attacks it ;)
¥
20 sam2kb May 01, 2009 19:00
I feel your pain but, could I possibly suggest, next time create a demo install and then post code that attacks it.
Yesterday I registered on my demo site 100 random users in less than 2 minutes. For the same time I could post 4 spam comments. Feel the difference...
I don't understand why EdB got mad after I posted one (only 1) feedback in his protected blog 8|
21 yabba May 01, 2009 19:40
There's a smidge of a difference between attacking a demo site and attacking a live blog ;)
Better to post the code ( targeted at a demo site ) with "try it for yourself" and then wait for the "how the fuck did you do that ?" questions, I guess ;)
¥
22 sam2kb May 02, 2009 03:34
Ok, boys and girls, run the following file to spam my demo blog.
It tries to post 5 comments and register 20 new users. In real I'll get 20 users, but only 1 comment.
Please note that all settings set to their default values except these two: I enabled user registration and changed feedbacks status to 'published'.
Have fun spamming my blog
23 fplanque May 27, 2009 00:37
I agree that ideally there should be a limit to how many users can be created from the same IP in a given timeframe.
That'd fail on my blog :D
Better still is to have a [url=http://en.wikipedia.org/wiki/Nonce]nonce[/url] (not the sex offender version ... or the rap duo ) for every form/"ajax" call ;)
¥