[dokuwiki] Re: Plugin captcha -
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: DokuWiki Mailinglist <dokuwiki@xxxxxxxxxxxxx>
- Date: Thu, 2 Feb 2017 19:52:24 +0100
I don't understand the new code, but I did assume that the function
retrieveCaptchaCookie() is doing it. My thoughts are that img.php
should be a function inside helper.php and the retrieveCaptchaCookie()
should be called from the new function. Anyway.
The thing this works is like this:
1. The function getHTML() creates the form to input the captcha. In
there a new random code is created. this random code is saved in the
cookie (specific to the user and this random code).
2. An encrypted version of the random code (secret) is sent to the browser.
3. The browser uses the secret to request an image (img.php)
4. img.php decrypts the secret and sends the img showing the code.
5. the user reads the image and sends back the secret and the code he read.
6. the check() method takes both and decrypts the secret to get the
original random code. it then compares the code with the one the user
entered. it also checks a cookie for that code and the user exists.
only if both conditions are succeed the captcha is accepted. the
cookie is deleted then
So yes a user can reuse a secret and send it again and again to the
img.php and always sees the same code. But the img.php is not involved
in any checking. it just displays an image.
A user can also read a code once and then send the correct code and
the secret again and again in step 5. However step 6 should fail then
because once the secret+code was used it should no longer be usable as
the cookie is gone.
Anyway all this is how it should work, but for some reason you still
get spam through. So we have to figure out what goes wrong.
Here is what we should look into:
1. Your spammer always requests the image. Does he always request it
with the same secret? Or is it a new one each time?
2. You say you can supress the spam by adding a die() in img.php - is
this really all you do? Because as I said, the image wouldn't be
needed for an attack of the system itself. It would only be needed if
the spammer is actually solving the captcha - either manually or by
OCR.
3. OCR seems unlikely as there should be at least some failures
visible in the log.
4. you said the spam does not correspondent to the log entries. how
much spam did you get? could it be that you only got one spam message
(per IP)? It could be that the spammer is using some browser
automation tool. He gets a new IP, enters one spam manually and
records it, then runs a replay attack which now fails. That way the
first manual spam would go through and all others would fail.
It's of course entirely possible that I'm missing some flaw in my
implementation.
Andi
--
splitbrain.org
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
