{"id":7,"date":"2006-08-02T16:17:01","date_gmt":"2006-08-02T16:17:01","guid":{"rendered":"http:\/\/kera.name\/articles\/?p=7"},"modified":"2006-09-18T18:23:27","modified_gmt":"2006-09-18T18:23:27","slug":"captcha-if-you-can","status":"publish","type":"post","link":"https:\/\/kera.name\/articles\/2006\/08\/captcha-if-you-can\/","title":{"rendered":"Fighting phpBB spam"},"content":{"rendered":"<p>Forum spam. We all know it&#039;s a problem. The introduction of Visual Confirmation (&#039;CAPTCHA&#039;) mods seemed to fix this problem, at least to those of us naive enough to believe we&#039;d be safe forever.<\/p>\n<p>I&#039;ve been noticing for some months now that on the <a title=\"Newark Hall JCR\" target=\"_blank\" href=\"http:\/\/www.newark-hall.co.uk\">Newark Hall JCR<\/a> forum, spammers seem to get by the Captcha verification with relative ease. I didn&#039;t give it much thought, somewhat putting the whole issue off until a planned revamp of the entire site&#039;s integrated superstructure.<\/p>\n<p>Then my employer came to me asking for a way to stop his Telecom forum being overridden by spammers.<\/p>\n<p>So I got to work.<\/p>\n<p>After a little research (read: Googling) I discovered that the phpBB default Captcha mod had, indeed, been compromised. Further, there was a <a title=\"PWNtcha\" target=\"_blank\" href=\"http:\/\/sam.zoy.org\/pwntcha\/\">whole list of inadequate Captchas<\/a> that have been observed on various websites, and cracked by a tool designed to test just how secure these mechanisms are these days.<\/p>\n<p>The only Captcha currently (and obviously) available for phpBB is right up there in the &#039;defeated captchas&#039; list, with a 97% failure rate.<\/p>\n<blockquote><p>Weaknesses: constant font, no rotation, no deformation, constant colours, weak perturbation.<\/p><\/blockquote>\n<p>Oh dear. Logically, then, we need a new capture.<\/p>\n<p>Alas, as I said before there don&#039;t appear to be any <em>different<\/em> mods for phpBB, so it became clear I would have to write my own. That said, there are still some decent PHP-based captcha scripts out there, so it was more a matter of finding a good one and integrating it into my forum, where the default mod once was.<\/p>\n<p>Roll on <a title=\"Freecap\" target=\"_blank\" href=\"http:\/\/www.puremango.co.uk\/cm_php_captcha_script_113.php\">freecap<\/a> &#8211; not to be confused with the more well-known &#034;<em>program for transparency redirect connections from programs through SOCKS server<\/em>&#034; of the same name.<\/p>\n<blockquote><p>freeCap boasts a host of features, not only does it offer strong character obfuscation, using random distortion of text and multiple backgrounds, but it also focuses on the security of the implementation. A lot of CAPTCHAs are secure against OCR attacks, but fail to account for other attacks, such as session re-use and cross-vhost file inclusion on shared servers.<\/p>\n<p>freeCap can output in three different image types, uses a custom GD font for each character, has brute force protection, it&#039;s open source GPL and is totally self-contained &#8211; no need for SQL databases, PEAR, or anything beyond PHP and GD!<\/p><\/blockquote>\n<p>Well ok then!<\/p>\n<p>Immediately I could see that this could go places. Although I could find no source demonstrating that freecap-generated captchas are any stronger than phpBB&#039;s, I also couldn&#039;t find it on any Weaknesses lists and it sounds\/looks pretty strong, so I&#039;m happy for now.<\/p>\n<p>Integrating into phpBB wasn&#039;t &#039;difficult&#039; per se, but of course it was a pain in the ass. First I located all the bits of Visual Confirmation code in <span style=\"font-weight: bold\">usercp_register.php<\/span>, commenting them out and marking the area for later use, and stuck a bit of Javascript at the top of <span style=\"font-weight: bold\">profile_add_body.tpl<\/span> that handles auto-refresh of a hard-to-read image.<\/p>\n<p>Then I uploaded <span style=\"font-weight: bold\">freecap.php<\/span> which generates the image and handles pretty much all of the gruntwork, and images\/gdfonts along with it. Finally, I went back and plugged in the bit of confirmation code where the original mod code used to hang out. Pretty simple code, it just grabs a couple of session variables and compares a stored hash to the hash of the code entry attempt.<\/p>\n<p>I sort of expected it to work then, but it didn&#039;t.<\/p>\n<p>It didn&#039;t take long to realise that phpBB doesn&#039;t use PHP&#039;s session handling functions. No, it uses its own. Basically, it just stores session data in a database table and throws its own session ID around. Since freecap works on sessions, I had to alter freecap&#039;s internals to use the same system.<\/p>\n<p>This meant putting a few phpBB include lines at the top of <span style=\"font-weight: bold\">freecap.php<\/span>, playing with paths, creating my own column &#039;<span style=\"font-style: italic\">session_freecap<\/span>&#039; in the database table <span style=\"font-style: italic\">sessions<\/span>, then having the script store its originally seperate variables as a single pipe-delimited string which could be updated by itself, and parsed by <span style=\"font-weight: bold\">usercp_register.php<\/span>.<\/p>\n<p>Some MySQL statements and a bit of debugging later, and it was done. That said, I&#039;ve yet to see just how effective it will be. First things first, though: I need to go and clean out my database of all those unwanted registrations from the past half year.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Forum spam. We all know it&#039;s a problem. The introduction of Visual Confirmation (&#039;CAPTCHA&#039;) mods seemed to fix this problem, at least to those of us naive enough to believe we&#039;d be safe forever. I&#039;ve been noticing for some months now that on the Newark Hall JCR forum, spammers seem to get by the Captcha [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[9,5],"_links":{"self":[{"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/posts\/7"}],"collection":[{"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/comments?post=7"}],"version-history":[{"count":0,"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/posts\/7\/revisions"}],"wp:attachment":[{"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/media?parent=7"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/categories?post=7"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kera.name\/articles\/wp-json\/wp\/v2\/tags?post=7"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}