473,231 Members | 1,839 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,231 software developers and data experts.

Feeback wanted on site with PHP exercices

Hi guys,

I made a site that you all can critize (you have carte blanche :))

http://thereference.webhop.org

I do appreciate postive feedback though.

Cheers,
Tom Pester
Sep 7 '05 #1
12 1360

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

Cheers,
Tom Pester
Hi guys,

I made a site that you all can critize (you have carte blanche :))

http://thereference.webhop.org

I do appreciate postive feedback though.

Cheers,
Tom Pester

Sep 7 '05 #2
"tom pester" wrote:

Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)


It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum" and
"sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request to this
URL: <http://[your domain]/ma************************@example.com&url=http:
%2F%2Fviagraspam.com&humanSum=0&sendmail=Send+emai l&sum=0>. I can do that
hundreds of times a second with different email addresses.

I really think you should take this page down until you know what you're
doing.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Sep 7 '05 #3
Hi phil,

How would you secure this page?

Cheers,
Tom Pester
"tom pester" wrote:
Thx for the tip on securing the mail page sample. I don't have your
email so I'll do it here :)

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum"
and "sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request
to this URL: <http://[your
domain]/ma************************@example.com&url=http:
%2F%2Fviagraspam.com&humanSum=0&sendmail=Send+emai l&sum=0>. I can do
that hundreds of times a second with different email addresses.

I really think you should take this page down until you know what
you're doing.

Sep 7 '05 #4
"tom pester" wrote:
Hi phil,

How would you secure this page?

Cheers,
Tom Pester


By taking it offline!

Turing numbers would help, but if you publish your source code you'll still
make things relatively easy for the spammers:

<http://www.google.com/search?q=%22turing+numbers%22>

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Sep 7 '05 #5
> Turing numbers would help

I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).
but if you publish your source code you'll
still make things relatively easy for the spammers:


I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

I rewrote the addition test with a session and a measure to avoid replay
attacks.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?
Sep 7 '05 #6
"tom pester" wrote:
Turing numbers would help
I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).


Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known. But
unusual character styles (e.g. <http://www.adsmalta.com/?reason=recover>)
and/or random noise and deformation applied to the image (e.g.
<http://blast4dollars.com/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a web page
and adding them together is ridiculously easy. A combination of
file_get_contents() and simple string matching is all you need.
but if you publish your source code you'll
still make things relatively easy for the spammers:


I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.


Well I suggest you start by learning how to write secure code before you
publish all this stuff. You're really asking for trouble.
I rewrote the addition test with a session and a measure to avoid replay
attacks.
A futile effort, unfortunately.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?


Do I need to think of another way? It would take me 5 minutes to write a
script to crack your "security". In another 5 minutes I could have sent
hundreds of emails from your site.

Take the page down before it's too late.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Sep 7 '05 #7
Hi Phil,
On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.
My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).
Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.


I don't think the script will get abused easily.
I'll monitor the script and see if it gets abused though.
Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.


Can you take these 5 mintues to come up with a script that cracks the security
without parsing the numbers and do the addition?
Thx for your time!

Cheers,
Tom Pester
Sep 7 '05 #8
Hi Phil,

I am displaying the source and even php.ini to make my coding style better.
It's hosted on 1 of my home on a pc's with no sensitive data so if you can
crack it go ahead.

Do you know of any possible attacks that a hacker could launch after seeing
the output of phpInfo?

Cheers,
Tom Pester
"tom pester" wrote:
Turing numbers would help

I know about these but I kept it simple and performed another
(inadequate)
turing test.
Computer can add as the best and it won't be long till they can read
those
images too (if they can't already).

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known.
But unusual character styles (e.g.
<http://www.adsmalta.com/?reason=recover>) and/or random noise and
deformation applied to the image (e.g.
<http://blast4dollars.com/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.
but if you publish your source code you'll
still make things relatively easy for the spammers:

I made the decision to publish the source code so I would write more
secure
code.
I think secure code that solely relies on obfuscation is not good
enough.
Code is really secure if a hacker can't break it even if he knows how
its
implemented.

Well I suggest you start by learning how to write secure code before
you publish all this stuff. You're really asking for trouble.
I rewrote the addition test with a session and a measure to avoid
replay attacks.

A futile effort, unfortunately.
Can you think of another way to circumvent the test other than to
parse the file and let a computer to the addition?

Do I need to think of another way? It would take me 5 minutes to write
a script to crack your "security". In another 5 minutes I could have
sent hundreds of emails from your site.

Take the page down before it's too late.

Sep 7 '05 #9
"tom pester" wrote:
Hi Phil,
On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.


My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).


This took 2 minutes to write:

================================================== ===
$s = file_get_contents("http://thereference.dyndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================== ===

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?

Turing numbers are nowhere near as vulnerable. Implemented properly, they
are impossible for computers to read successfully without a lot of hard work
targeted at each specific implementation.

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/
Sep 8 '05 #10
Hi Phil,
Now I have the answer to your addition sum, and the session ID from
your "hidden" field. That wasn't difficult, was it? Turing numbers are nowhere near as vulnerable. Implemented properly,
they are impossible for computers to read successfully without a lot
of hard work targeted at each specific implementation.


I asked for another way but thx for the script anyway...
I know it's easy to parse the numbers but can you think of another way to
abuse that page.

Again, my point is that turing numbers are a good solution _now_ and I will
use them in a commercial site.
But it's only a matter of time before computers can read turing numbers as
easily as tehy do addition now.

And this page isn't easily exploitable by a bot either. The spammer's bots
won't find this page automaticaly and if he stumbles upon it he has to do
some custom coding. I think he will go and look for an eaiser alternative
(which are plentyful).

There are other alternatives that are cost based in which the difficulty
of parsing a test outweighs the profit a spammer makes.
I remember reading a good article in scientific american about it.

Anyway, this is an exercice of me in making it as secure as possible with
the known limitation that a simple parsing circomvents it if the spammer
takes the trouble (which he won't ;)
Can you look at my question this way and see if there is a flaw in it?



Sep 8 '05 #11
On 2005-09-07, Philip Ronan <in*****@invalid.invalid> wrote:
"tom pester" wrote:
Hi Phil,
On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A combination
of file_get_contents() and simple string matching is all you need.


My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).


This took 2 minutes to write:

================================================= ====
$s = file_get_contents("http://thereference.dyndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================= ====

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?


With the simpletest browser you only need to change those fields that
you are interested in ;) (No need to keep track of hidden stuff..)

<?php

ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);
require_once('simpletest/browser.php');

$ua =& new SimpleBrowser;
$ua->get('http://thereference.dyndns.org:30000/MailPage.php');
$content = $ua->getContentAsText();
preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
$ua->setField('email', 'p*************@spamgourmet.com');
$ua->setField('url', 'here we go...');
$ua->clickSubmit('Send email');

?>

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Sep 8 '05 #12
Hallo Tim,

Vriendelijke groetjes uit Antwerpen :)

Thanks for sharing that code. That class seems very powerful (more info at
sourceforge : http://sourceforge.net/projects/simpletest/).

I had to change
preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
to

preg_match_all('/How much is (\d+) \+ (\d+)/', $content, $matches);
$ua->setField('humanSum', $matches[1][0] + $matches[2][0] );

Could you tell me why your code is a bit different. Is it because I develop
on a windows system?

I also would like to subscribe to your blog but it errors currently.

Groetjes,
Tom Pester
On 2005-09-07, Philip Ronan <in*****@invalid.invalid> wrote:
"tom pester" wrote:
Hi Phil,

On the other hand, extracting two numbers from the HTML source of a
web page and adding them together is ridiculously easy. A
combination of file_get_contents() and simple string matching is
all you need.

My point is that there is no real difference between the turing
numbers and the addition other than turing number are more difficult
to read (fo now).

This took 2 minutes to write:

================================================== ===
$s =
file_get_contents("http://thereference.dyndns.org:30000/MailPage.php"
);
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid"
value="([^"]+)"/m";
if (preg_match($re,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
================================================== ===
Now I have the answer to your addition sum, and the session ID from
your "hidden" field. That wasn't difficult, was it?

With the simpletest browser you only need to change those fields that
you are interested in ;) (No need to keep track of hidden stuff..)

<?php

ini_set('error_reporting', E_ALL);
ini_set('display_errors', TRUE);
require_once('simpletest/browser.php');
$ua =& new SimpleBrowser;
$ua->get('http://thereference.dyndns.org:30000/MailPage.php');
$content = $ua->getContentAsText();
preg_match('#How much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('humanSum', $matches[0][1] + $matches[0][2]);
$ua->setField('email', 'p*************@spamgourmet.com');
$ua->setField('url', 'here we go...');
$ua->clickSubmit('Send email');
?>

Sep 8 '05 #13

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Mik Foggin | last post by:
Hi, Having spent my free time over the last few months converting several hundred pages of mainly static (s)html into eight pages of data driven php loveliness and a whopping MySQL database I'm...
2
by: Bill | last post by:
Hi, I am looking for a web designer for the following project. Requirements: You must have experience with e-commerce sites. You must have experience with databases and account software. You...
1
by: Lüpher Cypher | last post by:
Hi, I'm trying to implement a simple MVC app, and I want to have the site map in an XML file. Anyways, here is the test xml file: <?xml version="1.0" encoding="ISO-8859-1"?> <site> <page...
0
by: Greg | last post by:
We're looking for CGI/PERL programmer who can help us integrate CamFrogWeb's video conferencing software with our site's user management system (login system) Our site uses customized...
5
by: | last post by:
Trying to learn about manipulating collections of objects, and populating these objects dynamically from datasources. Could someone post a code sample that shows the following: Instantiating a...
3
by: KWilliams | last post by:
I'd like to get some good advice about our old ASP site. You can see our home page at: http://www.douglas-county.com/ ....and an example application page at:...
8
by: john | last post by:
To test a new piece of software designed to help with (among other things) eCommerce WWW site development. The software is fairly easy to use but you must fit a profile. Retail price is 120 GBP and...
0
by: Rusty Hill | last post by:
I am creating a new ASP.NET 2.0 Web site with that will use language localization. I have been doing some reading and am looking for the best way to approach this. Here are some of the...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.