Forum spam. We all know it's a problem. The introduction of Visual Confirmation ('CAPTCHA') mods seemed to fix this problem, at least to those of us naive enough to believe we'd be safe forever.
I've been noticing for some months now that on the Newark Hall JCR forum, spammers seem to get by the Captcha verification with relative ease. I didn't give it much thought, somewhat putting the whole issue off until a planned revamp of the entire site's integrated superstructure.
Then my employer came to me asking for a way to stop his Telecom forum being overridden by spammers.
So I got to work.
After a little research (read: Googling) I discovered that the phpBB default Captcha mod had, indeed, been compromised. Further, there was a whole list of inadequate Captchas that have been observed on various websites, and cracked by a tool designed to test just how secure these mechanisms are these days.
The only Captcha currently (and obviously) available for phpBB is right up there in the 'defeated captchas' list, with a 97% failure rate.
Weaknesses: constant font, no rotation, no deformation, constant colours, weak perturbation.
Oh dear. Logically, then, we need a new capture.
Alas, as I said before there don't appear to be any different mods for phpBB, so it became clear I would have to write my own. That said, there are still some decent PHP-based captcha scripts out there, so it was more a matter of finding a good one and integrating it into my forum, where the default mod once was.
Roll on freecap – not to be confused with the more well-known "program for transparency redirect connections from programs through SOCKS server" of the same name.
freeCap boasts a host of features, not only does it offer strong character obfuscation, using random distortion of text and multiple backgrounds, but it also focuses on the security of the implementation. A lot of CAPTCHAs are secure against OCR attacks, but fail to account for other attacks, such as session re-use and cross-vhost file inclusion on shared servers.
freeCap can output in three different image types, uses a custom GD font for each character, has brute force protection, it's open source GPL and is totally self-contained – no need for SQL databases, PEAR, or anything beyond PHP and GD!
Well ok then!
Immediately I could see that this could go places. Although I could find no source demonstrating that freecap-generated captchas are any stronger than phpBB's, I also couldn't find it on any Weaknesses lists and it sounds/looks pretty strong, so I'm happy for now.
Then I uploaded freecap.php which generates the image and handles pretty much all of the gruntwork, and images/gdfonts along with it. Finally, I went back and plugged in the bit of confirmation code where the original mod code used to hang out. Pretty simple code, it just grabs a couple of session variables and compares a stored hash to the hash of the code entry attempt.
I sort of expected it to work then, but it didn't.
It didn't take long to realise that phpBB doesn't use PHP's session handling functions. No, it uses its own. Basically, it just stores session data in a database table and throws its own session ID around. Since freecap works on sessions, I had to alter freecap's internals to use the same system.
This meant putting a few phpBB include lines at the top of freecap.php, playing with paths, creating my own column 'session_freecap' in the database table sessions, then having the script store its originally seperate variables as a single pipe-delimited string which could be updated by itself, and parsed by usercp_register.php.
Some MySQL statements and a bit of debugging later, and it was done. That said, I've yet to see just how effective it will be. First things first, though: I need to go and clean out my database of all those unwanted registrations from the past half year.