Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
corpse
Regular
Regular


Joined: Oct 15, 2007
Posts: 84
Location: U.S.A.

PostPosted: Mon Apr 01, 2013 11:48 pm Reply with quote

Image


This release is the latest release of the Nuke HoneyPot for both RavenNuke and Nuke Evolution. There are a total of 8 checks this system performs before the person can register on your site. This system is designed for 1 thing and 1 thing only, and that is to keep pesky spam bots off of your site and keep our sites free and clear from the bots.

This release is version 2.1. I started a new thread because the other one was getting a bit cluttered and i figured I would start fresh with this system. The key features, (checks), of this module is as follows:

  1. Hidden Question Check - This is a hidden check using JavaScript to hide it to hopefully trick a bot to answer and get caught.
  2. Text Removal Check - This has a form field with the text of "DELETE THIS TEXT" and the new user needs to just delete that text.
  3. Time Submit Check - If they click submit before the timer is finished, it marks them as a bot. Default is 15 seconds which is about the amount of time it should take to submit, but is configurable.
  4. Custom Question Check - This is popular with the phpbb guys as it allows you to create a custom question and answer check.
  5. Local Blacklist - If the person fails X amount of times and that X is greater than the value you set, it wont allow them to register.
  6. SFS API - Use the Stop ForumSpam.com API to check email or IP.
  7. BotScout API - Use the Stop botscout API to check email or IP.
  8. FSpamlist API - Use the Stop FSpamlist API to check email or IP.


Watch this video for more info on how the Honeypot works.


Download from clanthemes. Click the link below to go to the thread. Installing is easy, just read the readme and do what it says, Installing should take 2 min or less to install.

Only registered users can see links on this board! Get registered or login!


enjoy...


Last edited by corpse on Thu Aug 07, 2014 7:16 pm; edited 20 times in total 
View user's profile Send private message Send e-mail Visit poster's website
CodyG
Life Cycles Becoming CPU Cycles


Joined: Jan 02, 2003
Posts: 712
Location: Vancouver Island

PostPosted: Tue Apr 02, 2013 9:40 am Reply with quote

yikes

_________________
"We want to see if life is ubiquitous." D.Goldin 
View user's profile Send private message
spasticdonkey
RavenNuke(tm) Development Team


Joined: Dec 02, 2006
Posts: 1692
Location: Texas, USA

PostPosted: Tue Apr 02, 2013 11:23 am Reply with quote

thanks for taking the time to put this together, look forward to checking it out. Smile
 
View user's profile Send private message Visit poster's website
corpse
PostPosted: Tue Apr 02, 2013 5:47 pm Reply with quote

spasticdonkey wrote:
thanks for taking the time to put this together, look forward to checking it out. Smile


let me know what you think of it. Took a lot of research to find the best possible ways of implementing this and keeping it hidden from bots, while keeping it as easy and with as little edits as possible to add to your own site. It's not a 100% guarantee, but since I implemented this, I have had 0 bots register on my site, and at the point of development, I was getting hit everyday.
 
hicuxunicorniobestbuildpc
Life Cycles Becoming CPU Cycles


Joined: Aug 13, 2009
Posts: 967
Location: Netherland

PostPosted: Wed Apr 03, 2013 2:33 am Reply with quote

First thing you always want to do is make backups of all files before editing, I will not be responsible for inability to follow instructions and mess up your site.

Read all the instructions BEFORE doing anything...
Make backups of all files that you will be editing before you make the edits.
Read step one and step two again and DO WHAT THEY SAY.


Open:
public_html/modules/Your_Account/public/new_user.php

Find

Code:
echo '<input type="hidden" name="op" value="new_confirm" />';



Add Before

Code:



   echo '<input type="hidden" name="loadtime" value='.time().' />';
   echo '<p id="noninfo">Leave Empty!!! - <label for="addition">What is two plus two?: *</label>
    <input name="addition" type="text" size="10" />
   </p>';
   echo'<script type="text/javascript">
    var e = document.getElementById("noninfo");
    e.parentNode.removeChild(e);
</script>';
   echo '<p align=\"center\" id=\"countdown-1\"><strong>Antibot wait</strong>, please don\'t click "Continue" for 15 second(s)</p>
<script type="text/javascript">
    var countdown = document.getElementById("countdown-1"),
    passed    = 0,
    seconds   = 15;
 
function countdownTimer() {
        // If the total amount of time passed matches or is greater than the amount of time
        // we expect to stay idle for then we can probably assume the person using the form
        // is a human not a stupid BOT
        if (passed >= seconds) {
                countdown.innerHTML = "<strong>All done! You can click "Continue" at anytime!</strong>";
 
                // Clear the countdown interval
                clearInterval(itv);
                return;
        }
 
        var wait = seconds - passed,
            wait = (wait < 10) ? ("0" + wait) : wait;
 
        // Update the total number of seconds remaining until the countdown is done
        countdown.innerHTML = "<strong>Antibot wait</strong>, please don\'t click "Continue" for " + wait + " second(s)";
 
        // Increment the total amount of time passed
        passed++;
}
 
// Start the countdown timer
var itv = setInterval(countdownTimer, 1000);
</script>';


Save &amp; Close

Open:
public_html/modules/Your_Account/public/new_confirm.php

Find
Code:
if ($user_password == '' AND $user_password2 == '') {


ADD BEFORE:
Code:


/*****[BEGIN]******************************************
 [ Mod:     coRpSE Nuke Honeypot                 ]
 ******************************************************/
      $loadtime = $_POST['loadtime'];
      $totaltime = time() - $loadtime;
      if($totaltime < 15){
          OpenTable();
            echo('You took less than 15 seconds to complete the form, We think your a bot...');
            echo '<div align="center">';
          echo '<span class="content"><br /><br /><br /><br />'._GOBACK.'</span></div>';
          CloseTable();
            include_once 'footer.php';
            exit;
         }
         
      $botblock = $_POST["addition"];
      if ($botblock == "4" || $botblock == "four") {
      OpenTable();
         echo 'You failed the bot test!';
      CloseTable();
      include_once 'footer.php';
         exit ();
         }
/*****[END]********************************************
 [ Mod:     coRpSE Nuke Honeypot                      ]
 ******************************************************/


Note: It looks pretty nice. I just converted to xhtml 1.0 in order to validated.
 
View user's profile Send private message Visit poster's website
corpse
PostPosted: Thu Apr 04, 2013 3:08 am Reply with quote

glad you like it. It just another way to combat those pesky bots and help them stop registering on our sites.
 
tourniqu3t
Regular
Regular


Joined: Jan 16, 2009
Posts: 90

PostPosted: Mon Apr 22, 2013 2:21 pm Reply with quote

This one works great against spambots. I haven't seen new users in waiting content repeatly.
 
View user's profile Send private message
corpse
PostPosted: Sun May 05, 2013 12:12 am Reply with quote

tourniqu3t wrote:
This one works great against spambots. I haven't seen new users in waiting content repeatly.


Thanks for the report.

Today, I actually just released an update, where I added in a new feature.

here is more info about the new feature:


Okay, today, I had added a new feature. I also have cleaned up some coding issues I had discovered was wrong compared to RavenNuke. Evo uses tables and RN just uses Paragraphs. So I fixed that within the coding.

With updating, if you already have this, then I recommend just overwriting all the old edits with the new edits.

Now, the new feature Basically, this new feature I did will add a new step for new users to prove they are human. It is very simple to do. Basically, this is an input field like any other question, but it has one difference. That difference is that it is pre-filled in for you with a message, "Delete All Of This Text!". Off to the left of the input is the word "A n t i B o t:".

Well here is how the scripts work. Mind you that I am not going to put all the coding because well, it's not all needed, it in the readme for you to test and put on your site.

In the new_user.php, I have an input field that looks like this,

Code:
echo "<tr><td bgcolor='$bgcolor2'><div class=\"textbold\" id=\"blink\"><font color=\"FF0000\">A n t i B o t: *</font></div></td><td bgcolor='$bgcolor1'><input name=\"company\" type=\"text\" size=\"23\" value=\"Delete All Of This Text!\">&nbsp;<span class='tiny'>"._REQUIRED."</span>


which is using jQuery to flash the "A n t i B o t", but that's not important,, but with the input, you can see that I gave it a name value of "company", but then I have it the value of "Delete All Of This Text!". so basically, it automatically put in the words, "Delete All Of This Text!" for you, but what I am hoping the bot will see is that it has the name for "company" and possibly try filling it in with a company name, If it doesn't, no biggie, I doubt it will know to delete the message that has been automatically entered for it.

Well, the next phase of this bot is after they submit it. they go to the confirm.php file and like the others, it does a check.

Code:
      $botblock2 = $_POST["company"];

      if (!empty($botblock2)) {


With that, it grabs the info from the other page, "company", and it checks to see if it is empty. If it is not empty, then it proceeds to the error message.

By using !empty instead of empty, it will make it as false, its not empty and display the error message. Well, I had a few people take a look at it. 5STAR, Noto from clan themes, and Malius, and they all asked the same question, "What if they forget to delete the message or input their own answer. Well its simple actually. It will display an error message that looks like this,

Code:
echo "<div align=\"left\">You failed the bot test!<br />You should have deleted<br /><div id=\"blink\"><H2>$botblock2</H2></div><br /> and left it blank! <br>Go back and try again.</div>";


so if they did not delete the per-defined message that I gave it, "Delete All Of This Text!", the error message will look something like this,

Quote:

You failed the bot test!
You should have deleted
Delete All Of This Text!


and left it blank!
Go back and try again.


and the message that they put in or forgot to remove will be flashing. In this case it would be "Delete All Of This Text!". Overall after many threads, post, sites and what not that are about blocking bots. I have not found anything new. So I was thinking, what can be done and I been thinking about this for the past month since I did the original script. Well, this came &nbsp;to me when I was on my site and I just happen to click the TS3 connect button on my site and I saw that I did the pre-defined input box that was for the password and it just came to me. To me, this is just an added step again towards stopping bots for good, well till someone re-writes them on these new techniques.

Let me know what you think and if you want to see it in action, feel free to go to my test site. Link is in the first post. Enjoy...
 
horror-code
New Member
New Member


Joined: Apr 29, 2013
Posts: 23

PostPosted: Sun May 05, 2013 4:24 pm Reply with quote

Honestly, I prefer your first method over the latter. Mostly because it seems like it would be too intrusive/annoying for the user. I like the method and the security it offers, but I love the idea that the user is forced to wait instead.

Maybe if there was a way it stopped them from navigating to the next page without deleting the text first. It should require the text to be deleted, alert the user, and stop them. And have the timer at the same time.

With the timer, would it be too much work to display it on the Continue button itself, instead of above it?
 
View user's profile Send private message
corpse
PostPosted: Mon May 06, 2013 12:42 am Reply with quote

horror-code wrote:
Honestly, I prefer your first method over the latter. Mostly because it seems like it would be too intrusive/annoying for the user. I like the method and the security it offers, but I love the idea that the user is forced to wait instead.


Nothing was removed, this just adds in a new way to help stop bots with very little effort on a users part to begin with. Everything else is still there, this update was just a added feature.

horror-code wrote:
Maybe if there was a way it stopped them from navigating to the next page without deleting the text first. It should require the text to be deleted, alert the user, and stop them. And have the timer at the same time.


I thought about that, but I did not want to do that because I want to trap the bots. I am currently working on a admin side where you will have a few options to turn on and off certain features. I just finished writing up the script that will allow you to see who has been trapped, (by IP), which functions stopped them and when. It writes it all to a DB table and I will be making a admin side view page. I was talking to a few and they asked to possibly have a block, so I may do that to to show how many have failed to get through. All in due time.

horror-code wrote:
With the timer, would it be too much work to display it on the Continue button itself, instead of above it?


I had thought about that, but I have seen it done on other sites and I did not personally care for it,, so that's why I did not go that root. I wanted it separate.
 
corpse
PostPosted: Wed May 08, 2013 8:55 pm Reply with quote

Added in a admin side to the script today.
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu May 09, 2013 6:30 am Reply with quote

I guess it never hurts to have too much security (unless it's obtrusive and most of your registrations are legitimate). You might also try:

Only registered users can see links on this board! Get registered or login! - which checks for bad access to any page
Only registered users can see links on this board! Get registered or login! - which uses unobtrusive checks against know spammer databases to block registration (make sure to download the current version)

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
corpse
PostPosted: Thu May 09, 2013 7:20 pm Reply with quote

kguske wrote:
I guess it never hurts to have too much security (unless it's obtrusive and most of your registrations are legitimate). You might also try:

Only registered users can see links on this board! Get registered or login! - which checks for bad access to any page
Only registered users can see links on this board! Get registered or login! - which uses unobtrusive checks against know spammer databases to block registration (make sure to download the current version)


Correct. as long as the stuff you are doing really does not impact the new user trying to register, then having the security there is worth it.

Just a heads up, code-authosrs account has been suspended, (This Account Has Been Suspended). Me, what I am attempting to do is carry out in ways that stop bots before they finish registering without using any type of black listing from someone else, since there is enough of that already out there.

Two extra scripts I have implemented on my site is:
ZBBlock - Only registered users can see links on this board! Get registered or login!
bbAnticpam - Only registered users can see links on this board! Get registered or login!

I go over that in my original post over on clanthemes, Only registered users can see links on this board! Get registered or login!

Only problem with them is yes they help, but are breakable by some bots out there for I been hit with some bots that have gotten through. That's why I went on the quest to come up with something that works, and thus far everything seems to be working on my site and I have heard from other using it on RN and Evo sites that once they have implemented this, their bots have stopped.

So for those that are wondering, and I am only answering this because I was asked a few times in the past few days, but do I claim that this is 100% fool-proof. This is very simple to answer, "No!". All it does is add in an extra layer of protection to your site. I have tested this one a few site and already seeing some results of it stopping. The one thing it will not stop thus far are human spam. Human spammers are specifically targeting your site and are about hitting you directly, and in those cases, what I've been doing will not help.
 
kguske
PostPosted: Thu May 09, 2013 8:39 pm Reply with quote

Agreed. I'm not sure any one solution can stop 100% of malicious bots / spammers. nukeSPAM is pretty effective at stopping spammer registration, but it's easy enough to spoof IP addresses and create new email accounts that haven't been reported to the spammer databases it uses.

In addition to being unobtrusive, it's important to avoid false positives. That's where we have to be careful using behavior-based approaches.

That said, the more options webmasters have to choose from, the better they'll be able to protect their sites as one size rarely fits all... So, keep up the good work!

Finally, I checked Only registered users can see links on this board! Get registered or login! and it appears to be working fine.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Thu May 09, 2013 8:46 pm Reply with quote

Regarding code-authors.com, yes, the Suspension was temporary and needed at the time due to some nefarious activity that we had to take care of (not RN related).

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
corpse
PostPosted: Fri May 10, 2013 12:50 pm Reply with quote

kguske wrote:
Agreed. I'm not sure any one solution can stop 100% of malicious bots / spammers. nukeSPAM is pretty effective at stopping spammer registration, but it's easy enough to spoof IP addresses and create new email accounts that haven't been reported to the spammer databases it uses.


yeah, it looks like a few other system that I am using. Do you guys know if that is specifically for RN or does it work on other nuke CMS's like Evo Xtreme. Just wondering because that could be another option for those that was another option for their Evo sites.

kguske wrote:
In addition to being unobtrusive, it's important to avoid false positives. That's where we have to be careful using behavior-based approaches.


Yeah, that's why I been avoiding building in a system to add them to the ban list. I don't want people banning without knowing for sure. This system is more of a heads up/logging system. If you need ot take it to the next level, that's why i displayed the email and IP, but like you said, its easy enough to change that.

Yeah, I been looking at a few options/tricks to verify that they are human without making it to difficult to follow.

As an example, I did find one jQuery script out there that forced you to use a slider over to unlock the submit button. The only reason I did not use it is because I would need to force JS to be enabled, though I know most people out there run with JS enabled, but for those that don't, I would either have to build in a way to force them to have to turn it on, or, disable it if JS is turned off, which in effect would disable the purpose of putting it in, in the first place. Considering most bots system don't even use JS. Overall, its tough coming up with ways that are hidden from the public, so it does not effect the site in ways of how much crap you need to enter before you can register, but I am sure I will come up with more ways.

kguske wrote:
That said, the more options webmasters have to choose from, the better they'll be able to protect their sites as one size rarely fits all... So, keep up the good work!
Agreed and Thanks.

montego wrote:
Regarding code-authors.com, yes, the Suspension was temporary and needed at the time due to some nefarious activity that we had to take care of (not RN related).
Ah, I didn't figure it was RN issue, I just figured it was something with the host or it was being shut down.

Good to see it is back up.
 
neralex
The Mouse Is Extension Of Arm


Joined: Aug 22, 2007
Posts: 1297
Location: Germany

PostPosted: Tue May 14, 2013 12:38 pm Reply with quote

Hey corpse,

The idea behind your script is very cool but i watched it once today and i have to admit with all due respect, that your code breaks not only the validation, it even broke my entire css based theme.

Put a div-container around the functions OpenTable() and CloseTable() is not the best way if you want only set a css-style to change the cursor pointer. In modern css-based themes with floated containers you can brick the whole theme. Also i have seen you haven written the <style>-tag in the <body>. The <style> have only one place - in the <head> of a document! If you are working in a block-file or after the header-include you are inside the <body> area and after the end of the </head>

Code:
   echo "<div class=\"honeycontainer\">"."\n";   

   OpenTable();
      echo "<div class=\"potlogo\"><p>Nuke HoneyPot - Antispam<br></p><p><img src=\"./images/nukehoneypot.jpg\"></p></div>\n";
      echo "<div align=\"center\">[ <a href=\"$admin_file.php\">Return to Main Administration</a> ]</div>\n";
   CloseTable();
   //... more code like this
   echo "</div>"."\n";
    include("footer.php");


You can add more as one class into the class attribute, like this:

Code:
echo '<div class="potlogo honeycontainer"></div>';


In this case you putted a div-container between <td>-rows, that bricks the whole table. So many styles are also better placed in a css-class.

Code:
   echo"<td bgcolor=\"$row_color\" class=\"pot\" width=\"45px\" align=\"center\"><a onmouseover=\"ShowContent('addinfo".$row['id']."'); return true;\"

        onmouseout=\"HideContent('addinfo".$row['id']."'); return true;\" href=\"javascript:ShowContent('addinfo".$row['id'].")\"><div class=\"minipot\">" . $row['id'] . "</div></a>";
   echo"</td><div id=\"addinfo".$row['id']."\"
   style=\"display:none;
      position:absolute;
      border-style: solid;
     -moz-border-radius: 15px;
     border-radius: 15px;
     border-color:#000000;
      background-color: #f8ce55;
     color: #000;
      padding: 5px;
     width:400px;
     text-align:left;
     font-size:11px;\">";
   echo"<div class=\"pothead\" align=\"center\">Additional Information</div><hr>
<p class=\"minipot-text\"><b class=\"minipot\">Username (used)</b> &nbsp;&nbsp;-&nbsp;&nbsp; ".$row['username']."<br></p>
<p class=\"minipot-text\"><b class=\"minipot\">Realname (used)</b> &nbsp;&nbsp;-&nbsp;&nbsp; ".$row['realname']."<br></p>
<p class=\"minipot-text\"><b class=\"minipot\">Email (used)</b> &nbsp;&nbsp;-&nbsp;&nbsp; ".$row['email']."</p></div>";
   echo"<td bgcolor=\"$row_color\" class=\"pot\" width=\"25%\" align=\"center\">" . $row['ip'] . "</td>";


I have seen this style of typing for years ago in old phpnuke scripts but i thought today nobody is doing that. Besides of this, i think its better to create a module for this. So is it possible to make it accessable fore module-admins. I have started the work on a example for you based on RN with language constants and sepearate css-files to load the styles in each theme with theme based css-styles (module css files). I have created two include-files for the changes in the Your_Account files. Its better to re-build after a RN update and its possible to include the the language files for using constants than your hard-coded text. I know for english speaking people is it ok but for all others, they want use his page in the own language is it hard. With language-files you give the users the chance to translate the constants in own language-files without changing the core-files.

I think ist better to create separate versions - for every distro a own version. Otherwise you will open closed doors.


Edit: I have added a db-table for your config-values with a config-, a installer- and a update-function for both tables. So you can install now the _honeypot and the new _honeypot_config table with the admin-section of my RN module version.

Image

This module have in the index.php a redirect to the index file of the cms. So is it not possible to call the module as guest or as user. As admin you have all the settings of your script. My version is full xHTML validated and based on the RN functions to set css-styles and load javascript-code into the body area.
Only registered users can see links on this board! Get registered or login!

Its also not more needed to use two blocks. Now you can use one block as center or side block. Both is now possible with the same block-file.

@corpse: please check the admin-files of the module. I have written an example-function for updating the config table. You can use the same way to update the main-table. I have put the javascript-code from the admin-function in a own js-file because there are no dynamic used variables. The same i have done for the css-styles. Only the dynamic used styles are placed in the admin-files. All other css-classes are now in the honeypot.css. You can find the files in the /js/ and in the /style/ folder of the module.

To follow the logic of the both scripts, check: Only registered users can see links on this board! Get registered or login!

You could create a copy of the honeypot.css from styles-folder of the module and put the copy in the styles folder of your used theme. In this way you can create for each theme a own css-file for the module. Its a simple replacement based on the RN_MODULE_CSS definition.

I hope it make it easier to understand what you can do with RN. If you need help for porting your next versions to RN, let it me know.

Wink


Last edited by neralex on Wed Aug 06, 2014 1:22 pm; edited 2 times in total 
View user's profile Send private message
corpse
PostPosted: Tue May 14, 2013 10:16 pm Reply with quote

Thanks for that. I will take a look at what you have done and check it out for my self. As for the div's and wrapping it. I will be more cautious of that in the future. I am not sure if it was me or Noto, but that was something that I over looked.

As for making it so module admins could see it, that was never my intention and that's why I did not do it. As for making separate for each CMS, I personally was not going for that root. Considering there was only one thing that I found that differed from one or the other was the mysql_real_escape_string and $db->sql_escape_string, that why in php I used the if statement so if it was evo it would rn one way and if it was not, it would run the other way.

Overall. what you have done is nice, not exactly the root I wanted it to go personally, I am always open to new views and suggestions and always willing to accept new idea's and changes.

But what i can see is something that looks nice. There are a few things I been thinking about doing to it in the future, with those changes, I will send you a PM to look over and tell me what you think.
 
corpse
PostPosted: Tue May 14, 2013 11:41 pm Reply with quote

Well, I got around to testing the script. Its very nice, I do like some of the new features, but I did find two issues though.

First issue, for the wait timer, when someone enters in too fast, and they get to the page that stops them, well, you have it stuck at the default time of 15 seconds with in the language file. The fix for this is to:

Open: public_html/modules/HoneyPot/admin/language/lang-english.php

Find:
Code:
define('_HONEYPOT_YOUAREABOT','You took less than 15 seconds to complete the form, We think your a bot...');


Replace with:
Code:
define('_HONEYPOT_YOUAREABOT','You took less than ');

define('_HONEYPOT_YOUAREABOT2',' seconds to complete the form, We think your a bot...');


SAVE & CLOSE

Open: public_html/modules/HoneyPot/includes/ya_confirm.php

Find:
Code:
   echo '<div class="text-center content">' , _HONEYPOT_YOUAREABOT , '</div>' , PHP_EOL


Replace with:
Code:
   echo '<div class="text-center content">' , _HONEYPOT_YOUAREABOT, $ya_totalseconds, _HONEYPOT_YOUAREABOT2, '</div>' , PHP_EOL


SAVE & CLOSE



that was the first thing I found. the second thing I found was in the administration, you have

Waiting-Seconds for Your_Account Counter:
Total-Seconds for Your_Account Counter:

Are both of those necessary? I sort-of believe that the variable for both of them would be the same, so there really would be no need to have it do it twice since the countdown timer essentially it in direct correlation to what the time limit is set at. To me its just taking one thing that really should be one thing into two.


Other then that, I like what you have done to it and made it simpler to install.

What I will do within the next few days see if I can make a port of your version to work on Evo Xtreme for I do like what you have done and I am not one to keep some nice changes exclusive to just one CMS. Some may think that's a okay practice, but I think its dirty practice and anything to make anyone's site better and safer should be for all. I just have to see if I can find what changes of RN will not work on Evo. That is one of the main reasons that I made a single script that was cross compatible rather then doing separate scripts.

Overall, besides those two things I found, very nice changes and nice work.
 
neralex
PostPosted: Wed May 15, 2013 4:12 am Reply with quote

Glad if you like it!

The idea behind my module based way is to be independent. I mean in the module you can create the language constants, you can place in the module-folder all css-files and js-scripts, all needed images etc without to mess up the nuke-folders with this stuff and you can use the RN_MODULE_CSS definition. And here we are coming to the biggest reason for my change. I don't know if exists in EVO functions like addJSToBody, addJSToHead or addCSSToHead or there are similar functions that allow custom CSS classes and JS code inline or load a file. CSS classes always belong to the <head> and js code that is loaded in <body>, should always be set to the end of the <body>. Exactly that do these RN functions. If exists function like this in EVO, then should it be no problem to port it to EVO. The if-statemanet for the escape-function is not hard to build in the files.

Module-admins can be enabled for specific modules. Thus, it does not see any module-admin unless you are giving the right in this. I rarely use a GOD-admin, maybe when i only want to manage other admins. Everything else i do with a module-admin. As module-admin i can see the waiting-users and i can also manage Your_Account, for that i don't need to be GOD. With your version i have to log out and log in as GOD, just to manage it.

The reason for the both variables are the difference in the new_user.php and new_confirm.php because in both files you are using different values on different places.

new_user.php = 45 (Waiting-Seconds for Your_Account Counter)
new_confirm.php = 15 (Total-Seconds for Your_Account Counter)

Not all of us have the skill to just open a file and change values ​​are correct something without destroying it. I see this very often today, because many do not read the instructions and think they can do that. If it involves only simple variables that can or should change to test something or to feed their own preferences, which can be managed with a db-based configuration. It is also easier for the user without to change the needed files.

You are right with the language-changes because i have forget to change it. I have written the config-area after the constants. I have made the changes in my files. Thanks.

Edit: I have deleted the download-link and the install-instructions because i will wait on you. Now you have the scripts and if you have made your changes, then we can compare it. So that two versions are not offered to the public. Maybe we can find a way to build both in one without breaking the code. But i have no EVO installed because i like my RN and don't want go deeper in a other distro.

To check if you are using RN you can use maybe this one. Its a part of rnconfig.php:

Code:
if (defined('RAVENNUKE_VERSION')) {

   // do RN stuff here
} else {
   // do EVO stuff here
}


Other possible candidates they are only provided by RN could be:

function addJSToBody
function addCSSToHead
function check_html
define('RN_MODULE_CSS', 'honeypot.css');
Cross-Site Request Forgery (CSRF)
Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login!


Last edited by neralex on Wed Aug 06, 2014 1:26 pm; edited 1 time in total 
corpse
PostPosted: Wed May 15, 2013 3:55 pm Reply with quote

for the timer, the two variables can be just turned into one because in all sense, its doing the same function. Meaning, that you are setting the time limit that form, so it shouldn't be filled out no faster then what ever you set, and the other part of that is the time for the countdown clock which is all and all, going ot be the same as what your setting the limit at. So having it spread out is really not needed.

After looking at what you have done, looks like the way you have it set up, will not work on Evo. With Evo, all you do to includes css is just a simple includes. For the functions to add JS to body and to the head, that does not exist in Evo. With Evo, you can add just a includes line to the javascript file in the includes folder.

So the root you went will need to be re-written a bit. I will try seeing what I can do. I do have a few functions I am looking into building in and since you seem to know allot more about RN then I, but that may be because I have not used RN since I think 2006, since then, I have been a Evo user for I found the system to be more user friendly with the use of jQuery in certain areas as well having more bb function. I only currently have two test site in which I have RN installed on just to test out scripts that people may ask for.

If you have TS3, you can hop onto my server any time and talk to me. But if you like, once I rewrite the new additions, I can send them to you to go through and make it correct for RN. In this root, I think its going to go in the direction of being separate, but I like to try keeping them the same when it comes to function and features.
 
neralex
PostPosted: Wed May 15, 2013 5:18 pm Reply with quote

Now you know why i have suggest you to provide separate versions for EVO and RN and do not put it together. If you want put both together you are brick the clear code of RavenNuke. Smile

But i can not really follow you with the two variables, because if i want now set the value more or less than your determined value, then i must open the file and change it again. This was the reason why i have it put in the settings. But its no problem to move it back as hardcoded values in the both files.

Anyway, i have downloaded the EVO package and what i have seen is a lot of old written code with many issues in validations and simple html markup fails. That is my reason why i don't want use another nuke distro like RavenNuke because in RN i have a very clear and secure written code and a real standard. EVO is far away from this. It seems in EVO was moved the old code from version to version without any changes.

All what you are doing with EVO can you do it also with RN. User friendly actions like jQuery is not a part of the CMS, is a part of the of developer's skill. On this point i'm very happy to have found the RavenNuke as my favorite nuke distro! I can only speak for me and i don't want mess up my nuke with bad written code like EVO. I want a clean CMS with 0 validation errors and a correct using of jQuery, CSS, HTML and a highly optimized php code on the current web-standards.

corpse wrote:
But if you like, once I rewrite the new additions, I can send them to you to go through and make it correct for RN. In this root, I think its going to go in the direction of being separate, but I like to try keeping them the same when it comes to function and features.


I'm not a friend of teamspeak. But in this way i will try to help you to port your new features in the RN version. You can test self before and if we are both happy - lets go!

Wink
 
dreadedcorpse
New Member
New Member


Joined: May 15, 2013
Posts: 3

PostPosted: Wed May 15, 2013 6:14 pm Reply with quote

Sorry for the different account name. I when to change my email on there and I got that validation email, but when I click the link, it sends me to a RN page with a empty table rather then re-validating my account so I must post under this new account I created until a admin can fix my account issue.

But the thing with the clock is not hard.

the way I did it was using the unix time stamp, so when you enter the registration, it enters that current time that the form showed up. So lets call that TimeA. Now, when you go to the confirmation page, it takes the unix time stamp from when that page was gone to, so lets call that TimeB. After it gets both of them, it takes them and subtracts them.

TimeB - TimeA = TotalTime

now, the time frame that you enter into the DB, just say you want them to fill out the form in no less then 15 seconds, so lets call that MinTime. So then next part of it is going to take the total time and see if its more then the MinTime you defined.

TotalTime < MinTime

So that's there the if comes in, saying if total time is less then the MinTime, deny them access.

The only other area the MinTime would come in, is for the countdown timer and on the text from the lang mistake above. and all that is referencing the min time you are requiring. So, basically, the only time you need to set is the min time and that's it. The timer is just that, a timer to count down from the time you define to give them a idea when its safe to click continue and it should match to the MinTime.

So essentially, you could take the "$ya_waitseconds" that you have, and replace them with the $ya_totalseconds and it will do the same thing, or vise versa. If you do that, it will match the timer to the actual time you want them to wait. Then the whole ($ya_waitseconds or $ya_totalseconds, just need one of them.) could be removed from the configuration and the DB for overall, its unnecessary. Just really only need one of them.

Your not going to want to put the min time to fill out the form at 45 seconds and display 15 seconds for the clock. That would give your new users a false okay to when its safe to click continue. That's why if you just make it one input that controls all of it, then your safe and you wont have any issues with misconfiguration and false info being displayed.

Does this make sense.

As for everything else. Some like the plain jane of RN, others don't. I do agree, Evo needs to update and I know there are talks of redoing it after then put this next patch out. Overall, the lack of function is what drives me away from RN. I find most of the stuff is lacking in user functionality and ease of use. Most of it reminds me of script design from the 90's and not with the more modern ease of use with drag and drop features and all that flash, (not flash in .swf, .flv, .fla, but more of the wow factor). I am not saying its a bad thing. There are people out there that like that, but me, I like to live a little bit in the newer days. Now if RN was more friendly on that aspect, I may have stayed with it.

I know I have heard many times that RN always wanted to stay close to a vanilla version. but the downfall with that is eventually, it will be lost with others moving in the way of making things faster and easier to do stuff. Thats just the way things are. Example, the way blocks are done on RN verses Xtreme. Xtreme/Evo uses a drag and drop system where RN, you have to change all numbers and save. What can be done on Evo in 5 seconds can take quite a bit longer with RN, depending on how many blocks you have. That is just an example and nothing more.

Overall, I do like how RN has been doing security work to make their product as secure as they can, but to me, that shouldn't just be just the only goal, which it seems to be. But again, that is just one mans opinion and everyone will have their own, well, we hope everyone has their own.
 
View user's profile Send private message
kguske
PostPosted: Wed May 15, 2013 10:47 pm Reply with quote

A bit off the original topic, but...

There are several goals for RN, including, among others, standards-compliance, security, and base functionality - on which you should be able to add functionality via modules, blocks, etc. It has some important structural features (namely, the ability to dynamically load JS) that make it easy to implement advanced user interface capabilities through jQuery add-ons and other JS / CSS features. And, until now, it supports that thousands of PHP-Nuke-based add-ons (blocks, modules) and themes.

We've been looking at drag and drop block management, for example, but felt that the real benefit of usability in the admin function, which is used infrequently, was less important than other features. That isn't to say there isn't plenty of room for improvement in important areas like usability...

...and there are some significant improvements planned for the user interface in the next release of RN (aka RavenCMS). I'm not sure it will include all the admin functions in Xtreme, but stay tuned for more info on that.

For a taste of the future (and to bring this back on topic), though unrelated to the previously mentioned UI improvements, take a look at the admin function and module capabilities of nukeSPAM, which combines a "flashy" user interface with powerful, flexible capabilities for unobtrusively blocking spammer (both human and bot) registration. Using the powerful DataTables jQuery add-on could give Nuke Honeypot powerful flexibility and a flashy interface, too.
 
neralex
PostPosted: Thu May 16, 2013 6:49 am Reply with quote

kguske is right. Thanks for the reply Smile But the RN have not a lack of functions, it have more functions than EVO if i look into the code. Sorry but you looking only on this, what you can see or click but not in the code. The alone the code creates the 'magic'. This is the biggest problem of EVO and so long nobody optimize the old code, so long you are live with the massive count of errors. This is the reason why I cried so loud as I have seen the code in my RN. In this case i like my clear written RN, here i have the chance to implement my own stuff based on the current standards and without all these errors they are provided from the EVO core-code.

Now back to the topic:

To make a next step i need to know which of the both values you want have in the configuration and which i should close out or should both closed out of the configuration? If i understand it correctly, then you need only the '45' from the new_user.php and the '15' from new_cofirm.php should stay hardcoded in the file?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©