Feeback wanted on site with PHP exercices

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

Cheers,
Tom Pester

Hi guys,

I made a site that you all can critize (you have carte blanche :))

http://thereference.webhop.org

I do appreciate postive feedback though.

Cheers,
Tom Pester

"tom pester" wrote:

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum" and
"sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request to this
URL: <http://[your domain]/ma************************@example.com&url=http:
%2F%2Fviagraspam.com&humanSum=0&sendmail=Send+emai l&sum=0>. I can do that
hundreds of times a second with different email addresses.

I really think you should take this page down until you know what you're
doing.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Hi phil,

How would you secure this page?

Cheers,
Tom Pester

"tom pester" wrote:

Thx for the tip on securing the mail page sample. I don't have your
email so I'll do it here :)

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum"
and "sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request
to this URL: <http://[your
domain]/ma************************@example.com&url=http:
%2F%2Fviagraspam.com&humanSum=0&sendmail=Send+emai l&sum=0>. I can do
that hundreds of times a second with different email addresses.

I really think you should take this page down until you know what
you're doing.

"tom pester" wrote:

Hi phil,

How would you secure this page?

Cheers,
Tom Pester

By taking it offline!

Turing numbers would help, but if you publish your source code you'll still
make things relatively easy for the spammers:

<http://www.google.com/search?q=%22turing+numbers%22>

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

> Turing numbers would help

I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

I rewrote the addition test with a session and a measure to avoid replay
attacks.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?

"tom pester" wrote:

Turing numbers would help
I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known. But
unusual character styles (e.g. <http://www.adsmalta.com/?reason=recover>)
and/or random noise and deformation applied to the image (e.g.
<http://blast4dollars.com/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a web page
and adding them together is ridiculously easy. A combination of
file_get_contents() and simple string matching is all you need.

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

Well I suggest you start by learning how to write secure code before you
publish all this stuff. You're really asking for trouble.
I rewrote the addition test with a session and a measure to avoid replay
attacks.
A futile effort, unfortunately.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write a
script to crack your "security". In another 5 minutes I could have sent
hundreds of emails from your site.

Take the page down before it's too late.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.
My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).
Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.

I don't think the script will get abused easily.
I'll monitor the script and see if it gets abused though.

Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.

Can you take these 5 mintues to come up with a script that cracks the security
without parsing the numbers and do the addition?
Thx for your time!

Cheers,
Tom Pester

Hi Phil,

I am displaying the source and even php.ini to make my coding style better.
It's hosted on 1 of my home on a pc's with no sensitive data so if you can
crack it go ahead.

Do you know of any possible attacks that a hacker could launch after seeing
the output of phpInfo?

Cheers,
Tom Pester

"tom pester" wrote:

Turing numbers would help

I know about these but I kept it simple and performed another
(inadequate)
turing test.
Computer can add as the best and it won't be long till they can read
those
images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known.
But unusual character styles (e.g.
<http://www.adsmalta.com/?reason=recover>) and/or random noise and
deformation applied to the image (e.g.
<http://blast4dollars.com/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.

but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more
secure
code.
I think secure code that solely relies on obfuscation is not good
enough.
Code is really secure if a hacker can't break it even if he knows how
its
implemented.

Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.

I rewrote the addition test with a session and a measure to avoid
replay attacks.

A futile effort, unfortunately.

Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.

Take the page down before it's too late.

"tom pester" wrote:

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.

My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).

This took 2 minutes to write:

================================================== ===
$s = file_get_contents("http://thereference.dyndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================== ===

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?

Turing numbers are nowhere near as vulnerable. Implemented properly, they
are impossible for computers to read successfully without a lot of hard work
targeted at each specific implementation.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Hi Phil,

Now I have the answer to your addition sum, and the session ID from
your "hidden" field. That wasn't difficult, was it? Turing numbers are nowhere near as vulnerable. Implemented properly,
they are impossible for computers to read successfully without a lot
of hard work targeted at each specific implementation.

I asked for another way but thx for the script anyway...
I know it's easy to parse the numbers but can you think of another way to
abuse that page.

Again, my point is that turing numbers are a good solution _now_ and I will
use them in a commercial site.
But it's only a matter of time before computers can read turing numbers as
easily as tehy do addition now.

And this page isn't easily exploitable by a bot either. The spammer's bots
won't find this page automaticaly and if he stumbles upon it he has to do
some custom coding. I think he will go and look for an eaiser alternative
(which are plentyful).

There are other alternatives that are cost based in which the difficulty
of parsing a test outweighs the profit a spammer makes.
I remember reading a good article in scientific american about it.

Anyway, this is an exercice of me in making it as secure as possible with
the known limitation that a simple parsing circomvents it if the spammer
takes the trouble (which he won't ;)
Can you look at my question this way and see if there is a flaw in it?

On 2005-09-07, Philip Ronan <in*****@invalid.invalid> wrote:

"tom pester" wrote:

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.

My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).

This took 2 minutes to write:

================================================= ====
$s = file_get_contents("http://thereference.dyndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================= ====

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?

With the simpletest browser you only need to change those fields that
you are interested in ;) (No need to keep track of hidden stuff..)

<?php

ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);
require_once('simpletest/browser.php');

$ua =& new SimpleBrowser;
$ua->get('http://thereference.dyndns.org:30000/MailPage.php');
$content = $ua->getContentAsText();
preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
$ua->setField('email', 'p*************@spamgourmet.com');
$ua->setField('url', 'here we go...');
$ua->clickSubmit('Send email');

?>

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>

Hallo Tim,

Vriendelijke groetjes uit Antwerpen :)

Thanks for sharing that code. That class seems very powerful (more info at
sourceforge : http://sourceforge.net/projects/simpletest/).

I had to change

preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
to

preg_match_all('/How much is (\d+) \+ (\d+)/', $content, $matches);
$ua->setField('humanSum', $matches[1][0] + $matches[2][0] );

Could you tell me why your code is a bit different. Is it because I develop
on a windows system?

I also would like to subscribe to your blog but it errors currently.

Groetjes,
Tom Pester
On 2005-09-07, Philip Ronan <in*****@invalid.invalid> wrote:

"tom pester" wrote:

Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A
combination of file_get_contents() and simple string matching is
all you need.

My point is that there is no real difference between the turing
numbers and the addition other than turing number are more difficult
to read (fo now).

This took 2 minutes to write:

================================================== ===
$s =
file_get_contents("http://thereference.dyndns.org:30000/MailPage.php"
);
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid"
value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================== ===
Now I have the answer to your addition sum, and the session ID from
your "hidden" field. That wasn't difficult, was it?

With the simpletest browser you only need to change those fields that
you are interested in ;) (No need to keep track of hidden stuff..)

<?php

ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);
require_once('simpletest/browser.php');
$ua =& new SimpleBrowser;
$ua->get('http://thereference.dyndns.org:30000/MailPage.php');
$content = $ua->getContentAsText();
preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
$ua->setField('email', 'p*************@spamgourmet.com');
$ua->setField('url', 'here we go...');
$ua->clickSubmit('Send email');
?>