Reply to Re: Reading remote Session ID

Your name:

Reply:


Posted by Brian on 03/26/07 14:52

>
> look Brian, as has been said, don't be afraid to provide the link, so
> we can actually tell you have done wrong, after all your link is
> public already; you will have peace of mind after you fix it - if
> indeed anything is wrong!
>
> You should know though sessions don't provide protection, the ID is
> sent to the user-agent to be sent straight back, that's it!
>
> If you think you are being targeted by a human, there's little you can
> do, as they can solve Captcha's. If you think it is automatic then you
> have either done something wrong - named the image by the random text
> it contains, or have the image src="image.php?random=Rt8d" both of
> which I have seen in the wild - or perhaps you have attracted a
> professional - someone whose script finds the captcha url and grabs
> the image sending it off to one of his/her sites which is heavily
> used, the captcha is then presented to a real likfe person on /that/
> site and the answer sent back through to your site - harder.
>
> Perhaps you can just make it harder for the script by
> (there are accessiblity problems with the following)
> * randomising the names of the input fields, and image url
> * time the solving time.
> *have the posts build up (if you are getting loads of them) dump
> collections of them based on IP and other data colected (see below) or
> have them emailed to you first, with a validation link at the top,
> then have the emails go through a Bayseian antispam filter like
> spamassasin or spampal, which learns adaptively, so you only get to
> see stuff considered ok.
> * have the image dynamically inserted into the DOM using a separate
> XHR call
> * require that the IP that makes the request for the page be the same
> that makes the request for the image
> * require that the page must be part of a "flow" that is don't allow
> post from someone who requests the html and no css/script/images,
> track their requests to ensure the browser they claim to be using
> matches the requests made. This is like using referer but is not so
> easily spoofed as each page takes a "breadcrumb" and stored it to
> track the user, award point to users who continue on round your site,
> or come from somewhere within. Using a session i nice here.
> * in a similar way require javascript to ask questions of the
> capability of the user, if it's a script the js will fail, so require
> js if you need to, if they are automating firefox, download some auto
> stuff like chicken foot/solvent etc.. and see what it takes to fuzz
> their script. Have a fake input hidden above the real one etc...?
> * require validation of an email address, preventing mytrashmail
> etc...
> * prevent the script from accepting posts if at certain times.
> * google for latest techniques in revealing true IP, often script
> kiddies use tor/privoxy which by itself isn't enough, ask the user-
> agent what time they have, screen res, use google analytics for this,
> etc..
> * try to tag you user with persistent data objects (eg flash),
> cookies.
> * download a list of know proxies at start of play, and check the
> poster's IP. (including those associated with tor)
>
> there are loads more of course, but I think you are now thinking - man
> it's not worth it, I'll just delete them, so write a routine that
> gathers info on the poster, and store it in the db table or wherever
> and use that in a where clause, you will find they come from a
> selection of IPs which repeat, so store them.
>
> finally, have some fun, if you suspect its an autobrowser, send a
> bunch of CPU chewing code to gobble up their memory using javascript,
> or maybe if you get a request from a known proxy send it
>
> I get this kind of spam from one of my sites, they have similarites,
> so get killed. I find it amusing how persistent, relentless and futile
> it all is, I havent taken any of the above steps to prevent it, just
> to see if it will ever stop of it's own accord!


Hi Shimmy

Thanks for all your help, you were the only one that didn't seem to go
off on one. I didn't want to post up loads of code as I have been told
off for doing that before, but as it's been asked for please see below.

The random image thing, I don't know if there is a official name.for it,
but I'm talking about sites that when you go to fill in a form if asks you
to type in the number in the image, this image is randomly generated
number

Below I have put both blocks of code, 1 generates the random
image and sets the session ID, that other processes the form, what I
would like to know is how secure are they, can somebody hack it and
send out spam via my site?
Lastly can they auto submit to the process script via their own script or
are the problems I am having being done by a human testing the scripts
security?
I was under the impression because the way the random image works they
would have to be viewing the site in a browser to see the image to know what
to past over?

Thanks

Brian


PS Steve, thanks for the English lesson, always very helpful to have
somebody
take the piss out of my Dyslexia and underline the fact that I do have a
problem,
it makes me feel great, thank you so much

MAKE IMAGE

<?php

include_once("mailer_conf.php"); # Import all configuration files
$randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
$bgNum = rand(1, $Numbgimages);
$image = imagecreatetruecolor($image_width,$image_height);
if ($UseBG == true) {
$fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
$image_height, $image_width, $image_height);
} else {
$image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
$BGColourB);
imagefill($image, 0, 0, $image_BGColour);
}

$textColour = array();
$colours = array();
$charPos = 3;
$charSpacing = round($image_width / ($numAlpha + 1));
$colours[0] = imagecolorallocate ($image, 255,0,0); // Red
$colours[1] = imagecolorallocate ($image, 0,355,0); // Green
$colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
$colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
$colours[4] = imagecolorallocate ($image, 0,0,0); // Black

for($i=0; $i<$numAlpha; $i++) {
$cnum = rand(0, 4);
$textColour[$i] = $colours[$cnum];
imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
$textColour[$i]);
$charPos = $charPos + $charSpacing;
}
session_start();

$_SESSION['image_random_value'] = md5($randAlpha);

header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header('Content-type: image/jpeg');

imagejpeg($image);
imagedestroy($fullimage);
imagedestroy($image);

unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
$cnum, $colours);

?>



PROCESS SCRIPT

<?php

function checkaddaddress($email) {
// First, we check that there's one @ symbol, and that the lengths are
right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section,
or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i <sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain
is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) <2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i <sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}

session_start();

include("mailer_conf.php"); # Import configuration files

$error_msg = '';
$_POST['image_code'] = trim($_POST['image_code']);

// check for header injection from _POST
$header_injections = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $k => $v){
$v = strtolower($v);
foreach($header_injections as $v2){
$v2 = strtolower($v2);
if(strpos($_POST[$v], $v2) !== false){
$error_msg .= $header_injection_msg."<br>";
}
}
}
// Check posted code is same as session ID
if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
($_POST['image_code'] == ""))) {
$error_msg .= $incorrect_code_msg."<br>";
}
// Check email address
if (!checkaddaddress($Email)) {
$error_msg .= $invalid_email_msg."<br>";
}
// check required fields
foreach($required_fields as $r){
if ($_POST[$r] == '' ) {
$missing_field .= '<li>'.$r.'</li>';
}
}
// make missing field error rmessage
if ($missing_field <> '') {
$error_msg .= $blank_field_msg."<br>The following fields are
missing<br><ul>".$missing_field."</ul>";
}
// create set of VARs from $_POST
foreach($_POST as $k => $v){
$$k = str_replace("\n", "<br>", $v);
}
// check for header injection in the above VARs
foreach($_POST as $k => $v){
foreach($header_injections as $replace){
$$k = str_replace("$replace", "HEADER INJECTION", $v);
}
}
// make note of users deatils
$timedate = date("G:i:s, D F j, Y");
$sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
$_SERVER['REMOTE_HOST'] . " PHP Auth User: " . $_SERVER['PHP_AUTH_USER'];

include("mailer_conf.php"); # Call again to make sure the Email body has
the right info in it

if ($error_msg == '' ) {
$to = strtolower("$to_name <$to_email>\n");
$from = strtolower("From: $from_name <$from_email>");
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= $from."\n";
if ($cc_email <> '') {
$headers .= strtolower("cc: $cc_name <$cc_email>\n");
}

mail($to, $form_subject, $email_body, $headers);
echo $message_sent_msg;
} else {
echo $error_msg;
}
session_unset();
session_destroy();
?>





--------------------------------------------------------------------------------
I am using the free version of SPAMfighter for private users.
It has removed 1384 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация