remote form submission with CPG? remote form submission with CPG?
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

remote form submission with CPG?

Started by pinpoint222, November 10, 2006, 08:49:31 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

pinpoint222

November 10, 2006, 08:49:31 PM
it is related to bot spam and i have seen that happening few times earlier with unprotected static php pages of my old site. i wonder if that can happen with CPG too..

The bots visit the page with a FORM placed in it and saves the source code with absolute URLs of the "POST" element of the FORM and then it remotely puts in the form values and calls that POST URL. So the form is filled remotely but POST is executed using proper absolute URL.

1-- is that something which is possible?
2-- if the form fields are filled remotely and then db_input.php file is called using absolute URL ..will that form b processed in CPG ?
3-- which method is better to have against Spam submission in FORMs......is POST better or GET better?

Nibbler

#1
November 10, 2006, 09:31:56 PM
1) Yes, but that's not how the bots work.
2) Yes, Coppermine does not know the difference.
3) POST is better, but only slightly.

pinpoint222

#2
November 10, 2006, 09:48:32 PM
so in what way remote calling of db_input.php be blocked without making visitor loggin in first.

Do you think this can work?

* -- Encrypting URL of db_input.php(using Javascript) so bots cannot find out the URL and store it for remote calling?

Nibbler

#3
November 10, 2006, 10:18:39 PM
The bots already know it is called db_input.php, and they don't execute javascript in the first place.

pinpoint222

#4
November 10, 2006, 10:40:08 PM
hmm..

Considering this single image verfication mod/hack (http://forum.coppermine-gallery.net/index.php?topic=36235.msg180856#msg180856)

which uses db_input2.php (A modified replica of db_input.php)

IF i set it up such that

1-- While applying the Mod/hack, the location of db_input2.php is calculated using Javascript. So bots cant find its location.

2-- If the POST data contains comments parameters like Name /comment/image code  THEN DO NOT execute db_input.php BUT only execute db_input2.php.

This way even if the db_input.php is called using its absolute known URL with POST data containing comments parameters like Name /comment/image code then db_input.php will not be executed.

Do you think using this setup will prevent remote execution of db_input.php and keeps the location of db_input2.php hidden using Javascript ( as bots cant read/execute javascript)?


Print
Go Up Pages1
User actions