Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
phoenix-cms
Worker
Worker


Joined: Aug 05, 2005
Posts: 139

PostPosted: Thu Mar 09, 2006 3:06 pm Reply with quote

many phpnuke contain security issues one of my sites has over 7000 its just my linux support site, but i having one issue with spambots becuase you can bypass the nuke security code.

i have tried many ways even altering the gfx functions to warp the security image.

only thing that i can see that the whole function should be replaced.

i been looking into phpclasses site and came accross

this
Only registered users can see links on this board! Get registered or login!

but are there going to be platform issues becuase it imports ttf fonts and builds jpg or png images from them and then displayed as a graphic box.

i dont have linux desktop box to test as its only console based linux or have no access to another pc that can test this.

would you say this would fix any nuke securitys in nuke.

would it stops bots and prevent them for registration by using this or has anyone had any luck with captcha with phpnuke as nuke has not changed much at all since thatware.

only people have changed it so much is postnuke and xoops where fb still has not done any major changes over thatware

many thanks

steve

_________________
Evo 3.0 Developer & nukecops.com Admin
Image
coming soon Only registered users can see links on this board! Get registered or login! Smile 
View user's profile Send private message Send e-mail
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Thu Mar 09, 2006 7:37 pm Reply with quote

I'm not aware of any bots that can read the standard security image but I shouldn't think its beyond a simple brute force attack if you only have a limited number of alph-numeric combinations.
I would be more concerned if they were bypassing the activation link.
 
View user's profile Send private message Send e-mail
phoenix-cms
PostPosted: Thu Mar 09, 2006 8:47 pm Reply with quote

It can be done that security code i tested it myself and made me relise how easy the securety code is for example.

you can bypass the confirmation code first you check the how many digits.

then the confirm code

like if you a 6 digit code type something like
index.php?gfx=gfx&random_num=123456

then view prperties of the image say 770471 thats your confirmation code

then make a simple html to post and reg and what you got is a simple script, you can modify this under perl or cgi and mass spam sites

just a thought

there many sites now who brought this up also i managed something basic using the build in php functions i just going to see how i can make fonts that are more universal like a image based map or something like games use for example.

then with hardly any major code edits we can have uncrackable code untill someone finds something but that be a while and many people would have to be using it.

best part tested it under firefox, ie6, ie7, and opera and all works fine i sure it work under other os like linux and mac as well just unable to test this atm i post up some code changes tomorrow once i finished still early code.

if its good enough i speak to fb this week and try and get him to use it Smile

thanks

steve
 
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Thu Mar 09, 2006 9:18 pm Reply with quote

Quote:
would you say this would fix any nuke securitys in nuke.
I hope so.


Last year there was an interesting discussion about captchas in nuke and I´m still interested because I know there are very intelligent bots.
.I saw only a few phpnuke websites with captchas in the past. If you need tester let me know.It's worth the trouble.
 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Mar 10, 2006 8:39 am Reply with quote

Aye the security code is not going to stop someone from reading it once, and then using it multiple times per day. It is a flaw from concept.

If that class works as a one-use only, it would definitely help getting it into phpNuke.

(I have tried some OCR software to break the security code. But no luck so far. Need something more complicated to remove the lined backgrounds. Changing fonts, colors, background would definitely help to stop OCR to read it)

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Steptoe
Involved
Involved


Joined: Oct 09, 2004
Posts: 293

PostPosted: Fri Mar 10, 2006 12:45 pm Reply with quote

In general, I find sites with security code a pain, espec if I didnt have my glasses on, and or they have set the auto logged on to only a couple days.
From the end user (visitor/member) piont of veiw it has a tendency to put ppl off.
Maybe a rethink of the whole concept/method??
I dont have any ideas

_________________
My Spelling is NOT incorrect, it's Creative 
View user's profile Send private message
guidyy
Worker
Worker


Joined: Nov 22, 2004
Posts: 208
Location: Italy

PostPosted: Fri Mar 10, 2006 1:09 pm Reply with quote

I agree with Steptoe,
My site has a very wide audience (grammas seeking for Birthday cakes recipes for the grandson housewifes, chefs etc..) and most likely they cant read the code, or completely forget to type it in...
I'm also clueless for a different solution tho!
Guido
 
View user's profile Send private message Visit poster's website MSN Messenger
Guardian2003
PostPosted: Fri Mar 10, 2006 1:46 pm Reply with quote

Why dont we use a 128bit PGP key instead.
 
phoenix-cms
PostPosted: Fri Mar 10, 2006 2:58 pm Reply with quote

yea i like those idears ok i phpnuke 7.9 for testing so you can see and i will post all the code chages on the front page as well as here was budy last night with work i start on it tonight Smile
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat Mar 11, 2006 12:57 am Reply with quote

I had a very nice one working - see Only registered users can see links on this board! Get registered or login! , but then M$ had a security issue and, as usual, rather than fix the exact cause, they threw the baby out with the bath water and broke IE permanently.
 
View user's profile Send private message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Sat Mar 11, 2006 8:54 am Reply with quote

captcha sucks, for example go look at it when you're (color)blind Smile
Cookie/Session will not work either since you just write a smarter script to post spam.

The only way to prevent spam is by adding a check system that validates $_POST data based on the Only registered users can see links on this board! Get registered or login! and [url] stuff that is put in the $_POST values.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©