[dokuwiki] Re: Plugin captcha -

• From: "K. Peter" <kp@xxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Thu, 02 Feb 2017 16:11:11 +0100

New release is out. No way around storing some info on the server...
but this should have the lowest impact on usability (for developers
and endusers) but make all replay attacks impossible. See
https://github.com/splitbrain/dokuwiki-plugin-captcha/commit/a285df67bba92c0e515b79f89013d7edbd478251
for details.

Andi

Many thanks. I'll check it out.

Unfortunately it doesn't solve the problem. Here one entry from the log:

46.246.41.184 - - [02/Feb/2017:14:37:20 +0100] "GET /doku.php/blog/2015/07/17_courier_imap_with_tls HTTP/1.0" 200 29964 "https://blog.dyndn.es/doku.php/blog/2015/07/17_courier_imap_with_tls"; "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
46.246.41.184 - - [02/Feb/2017:14:37:20 +0100] "GET /lib/plugins/captcha/img.php?secret=3QgLLTtHvDAN7RnBAq24zrgnsa7Y%2FWw5GON1BoMVydc%3D&id=blog:2015:07:17_courier_imap_with_tls HTTP/1.0" 200 8743 "https://blog.dyndn.es/doku.php/blog/2015/07/17_courier_imap_with_tls"; "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
46.246.41.184 - - [02/Feb/2017:14:37:21 +0100] "POST /doku.php/blog/2015/07/17_courier_imap_with_tls HTTP/1.0" 302 - "https://blog.dyndn.es/doku.php/blog/2015/07/17_courier_imap_with_tls"; "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
46.246.41.184 - - [02/Feb/2017:14:37:21 +0100] "GET /doku.php/blog/2015/07/17_courier_imap_with_tls HTTP/1.0" 200 38261 "https://blog.dyndn.es/doku.php/blog/2015/07/17_courier_imap_with_tls"; "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

The difference what I see is that the POST returns now with code 302 (and empty size). But with the following (last) GET the content will be loaded (IMHO). I think the root cause is with the "GET /lib/plugins/captcha/img.php?secret=...". This creates a valid captca(code) which can be used. Still, if you put this in the address bar of a browser:

https://blog.dyndn.es/lib/plugins/captcha/img.php?secret=pDlmFLiP%2FavgP8203Y%2BmLMWgMjumpKjRsb5xf%2F%2FWtJo%3D&id=blog:2015:07:17_courier_imap_with_tls

you get always the same captcha code: JNYDYQ. There is no check for the cookie - and can't be as the helper.php is not called. In case the page will be reloaded in a browser a cookie will be created. But not with the used technique by the spammer. And yes, the version is the one from the commit above and the code of your commit is in my helper.php.

Kai

--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

• Follow-Ups:
  • [dokuwiki] Re: Plugin captcha -
    • From: Andreas Gohr

• References:
  • [dokuwiki] Plugin captcha -
    • From: K. Peter
  • [dokuwiki] Re: Plugin captcha -
    • From: Andreas Gohr
  • [dokuwiki] Re: Plugin captcha -
    • From: K. Peter
  • [dokuwiki] Re: Plugin captcha -
    • From: Andreas Gohr
  • [dokuwiki] Re: Plugin captcha -
    • From: Andreas Gohr
  • [dokuwiki] Re: Plugin captcha -
    • From: K. Peter

Other related posts:

• » [dokuwiki] Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha - - K. Peter
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- K. Peter
• » [dokuwiki] Re: Plugin captcha -- Andreas Gohr
• » [dokuwiki] Re: Plugin captcha -- K. Peter

1. Home
2. dokuwiki
3. Archive
4. 02-2017

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---