Most Simple Comment Spam protection for 1.4.x - Page 2 Most Simple Comment Spam protection for 1.4.x - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Most Simple Comment Spam protection for 1.4.x

Started by pinpoint222, September 14, 2006, 06:24:21 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

ceesjoore

Quote from: ceesjoore on November 05, 2006, 06:33:50 PM
@pinpoint222 

Ok now it looks good all text in one line now  :D

Thanks for helping me out.
Now i have a different problem when i put a comment by a photo like this http://www.ceesjoore.nl/coppermine/displayimage.php?album=32&pos=12

the comment is added by this photo http://www.ceesjoore.nl/coppermine/displayimage.php?pos=-194
I am very confused  ???

pinpoint222

Hi

Solution is here

Yes . i tried it on ur site ..but i found the problem seems to be the wayCoppermine memorizes data or saves it in the cookies.(correct me if i am wrong please)..so the previous data is also posted along with new data ..

what i did i Flushed the memory before sending new data..now it wont double post or cross post.

1- Open theme.php and find this

Quote// HTML template for the form to add comments
$template_add_your_comment = <<<EOT

       <form method="post" name="post" action="db_input2.php">
                <table align="center" width="{WIDTH}" cellspacing="1" cellpadding="0" class="maintable" bgcolor="#FFFFFF">
                        <tr>
                                        <td width="100%" class="tableh2_compact"><b>{ADD_YOUR_COMMENT}</b></td>



2-- Replace it with this

Quote// HTML template for the form to add comments
$template_add_your_comment = <<<EOT

<!-- Start flushing the previous data memory-->
<?php
$msg_author = "";
$msg_body ="";
$toxic = "";
?>
<!-- end flushing the previous data memory -->


        <form method="post" name="post" action="db_input2.php">
                <table align="center" width="{WIDTH}" cellspacing="1" cellpadding="0" class="maintable" bgcolor="#FFFFFF">
                        <tr>
                                        <td width="100%" class="tableh2_compact"><b>{ADD_YOUR_COMMENT}</b></td>


Thats it. SO now all the previous name ..comments in the memory(cookies??) will be flushed empty and when the visiter will click OK. it will carry only new data. and also visitor will not be able to comment on same image more than once...

It will work.. just edit theme.php..

ceesjoore

Quote from: pinpoint222 on November 05, 2006, 08:04:15 PM
Hi

Solution is here

Yes . i tried it on ur site ..but i found the problem seems to be the wayCoppermine memorizes data or saves it in the cookies.(correct me if i am wrong please)..so the previous data is also posted along with new data ..

what i did i Flushed the memory before sending new data..now it wont double post or cross post.

1- Open theme.php and find this



2-- Replace it with this


Thats it. SO now all the previous name ..comments in the memory(cookies??) will be flushed empty and when the visiter will click OK. it will carry only new data. and also visitor will not be able to comment on same image more than once...

It will work.. just edit theme.php..

The problem stays, all the comments are added by this picture http://www.ceesjoore.nl/coppermine/displayimage.php?pos=-194

pinpoint222

Brother.. it seems that is ur coppermine gallery database problem.. that is why u are having this problem. it is not caused by my hack at all. My hack doesnt target any specific image or URL. either it affects all or it affects none.

ask for that comment posting problem with cp developer team in the miscellenouse section.

I have check it on my testing domain gallery too.this hack doesnt cross post comments.

u can check it at my testing domain ..Domain url is in the image attached..

ceesjoore


pinpoint222

ah!.. improper theme.php changes led to your issue. I shall Sum up the whole mod into a zip file and attach here soon SO confusion and errors donot occur for readers reading this mod.


pinpoint222

Here is the MOD complete with full n final with instructions

Simply download and unzip the attachment.

It contains

1-- Most Simple Comment Spam protection for 1.doc   (MS WORD version Manual)
2-- Most Simple Comment Spam protection.pdf (pdf version Manual)
3-- done.php file
4-- capimage.jpg  File
5-- db_input2.php File

Read the instruction in doc Or PDF..and apply the Mod. :)




JohnM-UK


JohnM-UK

Well almost working. Still getting some spam. I guess someone is posting manually..?!

pinpoint222

To all the readers of this mod. Here is something i have discovered

Spam bots read the URLs and Store the absoulte URLs information for Spamming.
Now everyone knows that the URL of db_input.php will always be something like
pathtocpgfolder/db_input.php

So the spam bots simply call the db_input.php so the spam is posted easily as the location of db_input.php is always the root of cpg folder and its file name does not change.

SO the solution

1-- Apply this Mod from zipped folder carefully
2-- Open the db_input.php

Find this
Quoterequire('include/init.inc.php');
require('include/picmgmt.inc.php');
require('include/mailer.inc.php');
require('include/smilies.inc.php');


and change it to this

Quote

require('include/init.inc.php');
require('include/picmgmt.inc.php');
require('include/mailer.inc.php');
require('include/smilies.inc.php');


if ($_POST['msg_body'] != ''){
header('Location: done.php');
die();
}


And that is it.

What does it do.. for information

1-- msg_body means comment message posted(by spam bot  most likely).
2-- this small script checks >>>>> whether msg_body has any data or not. if it has any data(comment) then that comment is not posted and the spam bot is taken to done.php page.    if there is no data(comment) then the regular function of db_input.php continues.

3-- and that is all. we will deny the comment posting using db_input.php. Comments can only be posted using db_input2.php file which came with this mod.


Apply and i hope that stops the comments being postedby spam bot using db_input.php file.

pinpoint222

BRAVO! i was right.

Just tested my concept using JohnM-Uk site and my site and i was absolutey right

The spam bots dont even have to come to coppermine gallery to post the spam comments. They simple POST the name value, comment value, PID value(picture id) and call the full url of db_input.php URL. and comments are added.

for readers and user of this Mod.. Apply the MOD from zipped folder and then add the New extra 3 Lines to db_input.php too. That will prevent remote spam posting through db_input.php

Joachim Müller

Quote from: pinpoint222 on November 11, 2006, 10:24:25 AM
The spam bots dont even have to come to coppermine gallery to post the spam comments. They simple POST the name value, comment value, PID value(picture id) and call the full url of db_input.php URL. and comments are added.
Congrats - you just discovered how bots work ;).

If a significant number of users apply your mod, the bot scripts will be re-written to reflect your change and you're back to where you started.

A real protection would make it mandatory to visit the page that contains the form by coming up with a unique pattern (session hash comes to mind) there and an additional check on the page that receives the data (db_input.php) that checks for the unique id.

Everything else will just be a workaround (like the suggested change of the filename).

pinpoint222

Thank you for the appreciation.. GauGau

As long as it works No harm in using this simple Mod.

Next version of CPG(1.5x) will have built-in one (hope so)..So when it will come then ppl can switch to it very easily.Until THAT "real protection" comes there is nothing wrong in using this MOD.

JohnM-UK

Well I have now applied your latest code (in db_input) on my site. Let's hope it works..

pinpoint222

Yes u have applied the code properly. I tried to post comment to ur gallery remotely but now i cannot.So it is working sofar.

I Hope this Zipped MOD + 3 new lines in db_input.php will prevent the total spam.

Give the feedback here after 2-3 days.
Peace :)

pinpoint222

Version 1.0 of this MOD/Hack has been added to the Starting Post of this Thread on page 1.(dated Nov. 11, 2006).

1-- All instructions and Files required are in that zipped folder.
2-- All future versions shall be added to the First/Starting Post now to prevent duplicates and confusion.



h4nh4n

Thanks for this mods, I have successfully installed on my cpg :)

I have no idea where the spambot came from :confused: as I got 1000 of spam just in 5 hours, but with this mods hopefully there's no spam anymore!
Artis Indonesia - Albums of Indonesian Actresses
Johan Ng - Personal Website

pinpoint222

Mod version 1.0  is attached to the first post of this thread

By default.. db_input.php is open to spam in CPG ..Known issue. So protection is provided to db_input.php and db_input2.php in this mod.

instead of 6B38 code You can also use your own image with code written on it.That is optional.

manne

Hello pinpoint222,

Good work. Is there a way to get random images with confirm code?
So it doesn't use the same code everytime?

Regards,
manne
/manne