Pixelpost

riken · #31 07-08-2005, 12:27 AM

Hey Andy,

In anti_comment_spam.php (near the bottom) is

Code:

function audit() {
  session_start();
  $digit = $_SESSION['digit'];
  $userinput = $_POST['userinput'];
  session_destroy();

  if (($digit == $userinput) &amp;&amp; ($digit > 1)) {
    return true;
  } else {
    return false;
  }

}

change it to

Code:

function audit() {
  session_start();
  $digit = $_SESSION['digit'];
  $userinput = $_POST['userinput'];
  //session_destroy();

  if (($digit == $userinput) &amp;&amp; ($digit > 1)) {
    return true;
  } else {
    return false;
  }

}

(Just comment out the session_destroy line.)

See if that works.
Thanks

Riken

#32 07-08-2005, 05:27 PM

please, do not de-activate "session-destroy" as this would make the whole thing unsafe,

Quote:

Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.

read more here: http://www.puremango.co.uk/cm_breaking_captcha_115.php

this page also claims "our" captcha, which is derived from "audit" as "non vulnerable" so please do not break it

I will try to find time and concentration to clear this situation, as this situation makes me feel uncomfortable...

#33 07-10-2005, 04:27 PM

I made a new version 1.0.2, which hopefully will work efficiently now:

you can test it at http://www.hafenfotografen.de/pp141

you can download it at:
http://www.bildgier.de/download/anti...addon_v102.zip

what is changed:

- the SAVE-USER-INFO-checkbox is taken off, avoiding conflicts with other cookies + raising security

- if cookies are not set or a HTML-source-code is validated by http://validator.w3.org/ PHP adds the actual sessionid as URL-parameter to the links. If the separator-character, which is set in the php.ini, is not defined masked, this added '&' generated validator errors en masse
so the default value from php.ini is overwritten now to '&amp;' and these problems should be eliminated

please test it and tell me if it is ok now.

If yes, I would gladly upload it to the official AddOn-Page
if not, I will take care of it (or ask for help) when I am back wednesday evening

I am curious if it is working now in the way it should, I had no problems when testing :roll:

**blinking8s**+ · #34 07-10-2005, 04:34 PM

connie, you should start a new thread for 1.0.2

#35 07-10-2005, 05:31 PM

I thought about that, but I wanted first those who were involved in that to check whether it is ok or not, especially Andy (japanwindow)

if it's ok, I will announce it with a new thread

my problem is that I could not reproduce all these problems others had and so I want to have their answers first :cry:

riken · #36 07-11-2005, 03:59 PM

Seems ok to me. Getting rid of the "save user" checkbox means that you can't trigger the bug, so it looks ok to me.

Might still want to check with Andy though...

japanwindow · #37 07-13-2005, 03:03 PM

I can still recreate the problem. I'll describe in detail what is happening AND show screen shots below.

It's no problem to post a comment.

If I go to another page and post a comment, that's also no problem.

If I return to the same page and hit "Refresh" then posting a comment is also no problem.

BUT there is a problem if I post a comment THEN:
a) hit the back arrow, or
b) click the link that says "Return to the page you were just viewing"

If I do "a" or "b" then the same code number appears again that I saw the previous time. And even though I enter the number correctly, I get a "wrong number" error.

By the way, I tried manually deleting my user cookie -- in case the old cookie was causing the problem -- but that didn't help.

At least I think this isolates the issue. A page must be refreshed in order to leave a second comment. Period. Hitting the back arrow doesn't refresh the page, so that doesn't work. I'm betting that the link to "Return to the page you were just viewing" is just a java script "Back Arrow" so it's not refreshing the page either.

A simple solution would be to have the image template refreshed, but that may be difficult in actual practice. Having the page auto refresh all the time would slow down the site for normal surfing...

By the way, this problem obviously will NOT affect comments in pop-up boxes -- only people who have comments integrated into their image template. People with pop-up comments should have nothing to worry about even with the 1.01 version I'm betting.

(I suppose one solution would be to say this anti-spam feature only works correctly with pop up comments...)

Ok, here's the screen shots as described above:

#38 07-13-2005, 08:28 PM

Andy,

thanks very much for testing... I will check it tomorrow evening, just came back from a 3-day-business-trip and it's very hot here in Germany in the moment...

japanwindow · #39 07-14-2005, 01:39 AM

I thought the problem would not affect pop-up windows, but maybe I was wrong. I just went and tested the comment form on your site. The very first time that I tried to leave a comment I got a "wrong code" error. I really can't imagine why it wouldn't work -- maybe I have the keyboard of death.

I tried again and again and could never leave a comment there. Just in case, the only odd thing that occurs to me is that I just upgraded Firefox last night to the newest upgrade. Other than that, I just followed your link and clicked on Comment. I didn't enter an email address, but filled in all the other blanks.

Here are the screen shots:

#40 07-14-2005, 05:58 AM

I really cannot reproduce this at all, because I use nearly the same code as many many other captcha-scripts...

and I do not want to give up this idea, I will add a re-load-link into the form like this: "if it's not working, reload here..." and will check out if it's better...

I saw this in other captcha-forms already, maybe because of the same reasons, just titled like "I cannot read this, give me another code".. :cry:

Pixelpost

Authentic Photoblog Flavour