Feeback wanted on site with PHP exercices

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

Cheers,
Tom Pester

Hi guys,

I made a site that you all can critize (you have carte blanche :))

http://thereference.webhop.org

I do appreciate postive feedback though.

Cheers,
Tom Pester

"tom pester" wrote:

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum" and
"sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request to this
URL: <http://[your domain]/ma************* ***********@exa mple.com&url=ht tp:
%2F%2Fviagraspa m.com&humanSum= 0&sendmail=Send +email&sum=0>. I can do that
hundreds of times a second with different email addresses.

I really think you should take this page down until you know what you're
doing.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Hi phil,

How would you secure this page?

Cheers,
Tom Pester

"tom pester" wrote:

Thx for the tip on securing the mail page sample. I don't have your
email so I'll do it here :)

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum"
and "sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request
to this URL: <http://[your
domain]/ma************* ***********@exa mple.com&url=ht tp:
%2F%2Fviagraspa m.com&humanSum= 0&sendmail=Send +email&sum=0>. I can do
that hundreds of times a second with different email addresses.

I really think you should take this page down until you know what
you're doing.

"tom pester" wrote:

Hi phil,

How would you secure this page?

Cheers,
Tom Pester

By taking it offline!

Turing numbers would help, but if you publish your source code you'll still
make things relatively easy for the spammers:

<http://www.google.com/search?q=%22tur ing+numbers%22>

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

> Turing numbers would help

I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

I rewrote the addition test with a session and a measure to avoid replay
attacks.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?

"tom pester" wrote:

Turing numbers would help
I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known. But
unusual character styles (e.g. <http://www.adsmalta.co m/?reason=recover >)
and/or random noise and deformation applied to the image (e.g.
<http://blast4dollars.c om/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a web page
and adding them together is ridiculously easy. A combination of
file_get_conten ts() and simple string matching is all you need.

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

Well I suggest you start by learning how to write secure code before you
publish all this stuff. You're really asking for trouble.
I rewrote the addition test with a session and a measure to avoid replay
attacks.
A futile effort, unfortunately.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write a
script to crack your "security". In another 5 minutes I could have sent
hundreds of emails from your site.

Take the page down before it's too late.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_conten ts() and simple string matching is all you need.
My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).
Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.

I don't think the script will get abused easily.
I'll monitor the script and see if it gets abused though.

Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.

Can you take these 5 mintues to come up with a script that cracks the security
without parsing the numbers and do the addition?
Thx for your time!

Cheers,
Tom Pester

Hi Phil,

I am displaying the source and even php.ini to make my coding style better.
It's hosted on 1 of my home on a pc's with no sensitive data so if you can
crack it go ahead.

Do you know of any possible attacks that a hacker could launch after seeing
the output of phpInfo?

Cheers,
Tom Pester

"tom pester" wrote:

Turing numbers would help

I know about these but I kept it simple and performed another
(inadequate)
turing test.
Computer can add as the best and it won't be long till they can read
those
images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known.
But unusual character styles (e.g.
<http://www.adsmalta.co m/?reason=recover >) and/or random noise and
deformation applied to the image (e.g.
<http://blast4dollars.c om/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_conten ts() and simple string matching is all you need.

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more
secure
code.
I think secure code that solely relies on obfuscation is not good
enough.
Code is really secure if a hacker can't break it even if he knows how
its
implemented.

Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.

I rewrote the addition test with a session and a measure to avoid
replay attacks.

A futile effort, unfortunately.

Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.

Take the page down before it's too late.

"tom pester" wrote:

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_conten ts() and simple string matching is all you need.

My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).

This took 2 minutes to write:

=============== =============== =============== ========
$s = file_get_conten ts("http://thereference.dy ndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re ,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
=============== =============== =============== ========

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?

Turing numbers are nowhere near as vulnerable. Implemented properly, they
are impossible for computers to read successfully without a lot of hard work
targeted at each specific implementation.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/