Captcha Security Break

[chrishildebrandt]

On Tue 25/10/11 3:23 PM , Captcha bypass yhboeqfuru@hctywc.com wrote:

formicula_admin_html_email

Hello,

A visitor of to your web site used the form for contact and sent the following:

Form # : 0 Contact or Theme : Mirrors Your Name : Captcha bypass E-Mail : yhboeqfuru@hctywc.com Homepage : http://www.captchaking.com/ Company : Captcha bypass software Phone Number : Captcha bypass software Location : Netherlands

Comment : yumvdbquptje, Car windshield snow cover, zwRpcCz, [url=http://www.repairwindshield.com/]Repair Windshield[/url], mQqCCtl, http://www.repairwindshield.com/ Sun shades for car windshield, gAkmDsv, Compare viagra levitra celias, tveCoHT, [url=http://buylevitrausa.ucoz.com/]Levitra[/url], ikSABfV, http://buylevitrausa.ucoz.com/ 20mg levitra, YApYtju, Seo phoenix, bkLFgpo, [url=http://www.daveshap.com/]Phoenix Seo[/url], StZaSzD, http://www.daveshap.com/ Phoenix Seo, jGDtbbo, get rid of stretch marks, uQoVTmq, [url=http://getcosmetyn.net/]Cosmetyn Review[/url], uaRwBUq, http://getcosmetyn.net/ get rid of stretch marks, pmRybjZ, smile by glow reviews, qwfZBBC, [url=http://smilebyglowspecialoffer.net/]smile by glow reviews[/url], aZjhqGH, http://smilebyglowspecialoffer.net/ smile by glow reviews, rPntNJB, Bypass Captcha, JvoExNY, [url=http://www.captchaking.com/]Bypass Captcha[/url], NEfyfZc, http://www.captchaking.com/ Bypass Captcha, EkGpPIL.

The user has the following IP address/hostname: 193.34.144.193 / 193.144.34.193.static.giga-dns.com

[espaan]

Yes ? What is the point exactly? That someone has bypassed the captcha? That is not uncommon of course. It is only a very simple captcha scheme.

[chrishildebrandt]

Well, the point is if there is a script in the wild which did break the Formicula captcha, then we should slightly change the captcha scheme. I know it's just a simple one, but doing minimal changes to the scheme might get it un-hacked again for some time. Greetings, Chris

[espaan]

Hi,

ah ok in that sense. Do you have any suggestions to changing the captcha in its current form? In the end integration of re-captcha might also be an idea. This math test is just a bare minimum test. One could also think of the option of adding a question/answer combo alternative.

[chrishildebrandt]

The little math test was actually very well working for several years with Formicula, my case is the first one I know about. Add that the math test is language independend. I would just slightly increase the complexity of the test, by adding a 3rd operation and/or making the test pics slightly less easy to read for text recognition software. And of course the option to add a question - as we already do at Core user registration - would be great. Greetings, Chris

[ghost]

There is now a reCaptcha hook in @craigh's repo

[espaan]

Ah great !!

2011/11/3 Drak < reply@reply.github.com>

There is now a reCaptcha hook in @craigh's repo

Reply to this email directly or view it on GitHub: https://github.com/landseer/Formicula/issues/23#issuecomment-2615688

[espaan]

See about the re-captcha hook: https://github.com/craigh/Captcha and http://www.google.com/recaptcha/learnmore

you will need an api key to use the service: http://code.google.com/apis/recaptcha/intro.html

[hvorragend]

IMPORTANT: Don't forget to set comments permissions for the Captcha module if anonymous users should use this hook.

[espaan]

And a re-install is needed I noticed when you were already using a github version. At least in my case, but after that it works fine. Maybe the regular Activate spamcheck should also be adjusted. When the captcha hook is available the regular spamcheck makes no sense right?

One other thing the message when the re-captcha hook does not validate:

User.php:266: return LogUtil::registerError($this->__('The validation of the hooked security module was incorrect. Please try again.'), null, ModUtil::url('Formicula', 'user', 'main', array('form' => $form)));

is not the most user friendly. Not sure if users understand that this means that they filled in the captcha part wrong.

[hvorragend]

I would be glad if you could optimize the code.

[espaan]

:-D ok, will take a look then. I dont think there will be other security module hooks in formicula right? Then I can change the string to something along the line of spamcheck.

It would be nice actually if the hooked module would supply some sort of string what it does. The subscriber does not know exactly what a certain hook is doing.

But some minor changes will certainly help here. Maybe when captcha is hooked then also a link to the captcha module settings would be nice in formicula settings. And some descriptive text somewhere, that this is also possible. Ah well, enough ideas to make it more clear. Will try to take a look at it.

[craigh]

"The subscriber does not know exactly what a certain hook is doing."

This is by design. @drak made it work that way. the subscriber isn't supposed to know.

[ghost]

The bundle that's we use for forms is simply designed to hook into the form submission workflow, able to veto the submission of a form if it doesn't validate and save data when the entire form validates.

[espaan]

Clear. Just some streamlining of the process within Formicula will make it more clear for users. It works perfect, the hook system with the validation.

[espaan]

Check this part and disable the regular simple captcha check when the validation hook is there and see comments above on the code.