Re: Reading remote Session ID


look Brian, as has been said, don't be afraid to provide the link, so
we can actually tell you have done wrong, after all your link is
public already; you will have peace of mind after you fix it - if
indeed anything is wrong!

You should know though sessions don't provide protection, the ID is
sent to the user-agent to be sent straight back, that's it!

If you think you are being targeted by a human, there's little you can
do, as they can solve Captcha's. If you think it is automatic then you
have either done something wrong - named the image by the random text
it contains, or have the image src="image.php?random=Rt8d" both of
which I have seen in the wild - or perhaps you have attracted a
professional - someone whose script finds the captcha url and grabs
the image sending it off to one of his/her sites which is heavily
used, the captcha is then presented to a real likfe person on /that/
site and the answer sent back through to your site - harder.

Perhaps you can just make it harder for the script by
(there are accessiblity problems with the following)
* randomising the names of the input fields, and image url
* time the solving time.
*have the posts build up (if you are getting loads of them) dump
collections of them based on IP and other data colected (see below) or
have them emailed to you first, with a validation link at the top,
then have the emails go through a Bayseian antispam filter like
spamassasin or spampal, which learns adaptively, so you only get to
see stuff considered ok.
* have the image dynamically inserted into the DOM using a separate
XHR call
* require that the IP that makes the request for the page be the same
that makes the request for the image
* require that the page must be part of a "flow" that is don't allow
post from someone who requests the html and no css/script/images,
track their requests to ensure the browser they claim to be using
matches the requests made. This is like using referer but is not so
easily spoofed as each page takes a "breadcrumb" and stored it to
track the user, award point to users who continue on round your site,
or come from somewhere within. Using a session i nice here.
* in a similar way require javascript to ask questions of the
capability of the user, if it's a script the js will fail, so require
js if you need to, if they are automating firefox, download some auto
stuff like chicken foot/solvent etc.. and see what it takes to fuzz
their script. Have a fake input hidden above the real one etc...?
* require validation of an email address, preventing mytrashmail
etc...
* prevent the script from accepting posts if at certain times.
* google for latest techniques in revealing true IP, often script
kiddies use tor/privoxy which by itself isn't enough, ask the user-
agent what time they have, screen res, use google analytics for this,
etc..
* try to tag you user with persistent data objects (eg flash),
cookies.
* download a list of know proxies at start of play, and check the
poster's IP. (including those associated with tor)

there are loads more of course, but I think you are now thinking - man
it's not worth it, I'll just delete them, so write a routine that
gathers info on the poster, and store it in the db table or wherever
and use that in a where clause, you will find they come from a
selection of IPs which repeat, so store them.

finally, have some fun, if you suspect its an autobrowser, send a
bunch of CPU chewing code to gobble up their memory using javascript,
or maybe if you get a request from a known proxy send it

I get this kind of spam from one of my sites, they have similarites,
so get killed. I find it amusing how persistent, relentless and futile
it all is, I havent taken any of the above steps to prevent it, just
to see if it will ever stop of it's own accord!


Hi Shimmy

Thanks for all your help, you were the only one that didn't seem to go
off on one. I didn't want to post up loads of code as I have been told
off for doing that before, but as it's been asked for please see below.

The random image thing, I don't know if there is a official name.for it,
but I'm talking about sites that when you go to fill in a form if asks you
to type in the number in the image, this image is randomly generated
number

Below I have put both blocks of code, 1 generates the random
image and sets the session ID, that other processes the form, what I
would like to know is how secure are they, can somebody hack it and
send out spam via my site?
Lastly can they auto submit to the process script via their own script or
are the problems I am having being done by a human testing the scripts
security?
I was under the impression because the way the random image works they
would have to be viewing the site in a browser to see the image to know what
to past over?

Thanks

Brian


PS Steve, thanks for the English lesson, always very helpful to have
somebody
take the piss out of my Dyslexia and underline the fact that I do have a
problem,
it makes me feel great, thank you so much

MAKE IMAGE

<?php

include_once("mailer_conf.php"); # Import all configuration files
$randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
$bgNum = rand(1, $Numbgimages);
$image = imagecreatetruecolor($image_width,$image_height);
if ($UseBG == true) {
$fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
$image_height, $image_width, $image_height);
} else {
$image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
$BGColourB);
imagefill($image, 0, 0, $image_BGColour);
}

$textColour = array();
$colours = array();
$charPos = 3;
$charSpacing = round($image_width / ($numAlpha + 1));
$colours[0] = imagecolorallocate ($image, 255,0,0); // Red
$colours[1] = imagecolorallocate ($image, 0,355,0); // Green
$colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
$colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
$colours[4] = imagecolorallocate ($image, 0,0,0); // Black

for($i=0; $i<$numAlpha; $i++) {
$cnum = rand(0, 4);
$textColour[$i] = $colours[$cnum];
imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
$textColour[$i]);
$charPos = $charPos + $charSpacing;
}
session_start();

$_SESSION['image_random_value'] = md5($randAlpha);

header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header('Content-type: image/jpeg');

imagejpeg($image);
imagedestroy($fullimage);
imagedestroy($image);

unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
$cnum, $colours);

?>



PROCESS SCRIPT

<?php

function checkaddaddress($email) {
// First, we check that there's one @ symbol, and that the lengths are
right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section,
or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i <sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain
is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) <2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i <sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}

session_start();

include("mailer_conf.php"); # Import configuration files

$error_msg = '';
$_POST['image_code'] = trim($_POST['image_code']);

// check for header injection from _POST
$header_injections = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $k => $v){
$v = strtolower($v);
foreach($header_injections as $v2){
$v2 = strtolower($v2);
if(strpos($_POST[$v], $v2) !== false){
$error_msg .= $header_injection_msg."<br>";
}
}
}
// Check posted code is same as session ID
if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
($_POST['image_code'] == ""))) {
$error_msg .= $incorrect_code_msg."<br>";
}
// Check email address
if (!checkaddaddress($Email)) {
$error_msg .= $invalid_email_msg."<br>";
}
// check required fields
foreach($required_fields as $r){
if ($_POST[$r] == '' ) {
$missing_field .= '<li>'.$r.'</li>';
}
}
// make missing field error rmessage
if ($missing_field <> '') {
$error_msg .= $blank_field_msg."<br>The following fields are
missing<br><ul>".$missing_field."</ul>";
}
// create set of VARs from $_POST
foreach($_POST as $k => $v){
$$k = str_replace("\n", "<br>", $v);
}
// check for header injection in the above VARs
foreach($_POST as $k => $v){
foreach($header_injections as $replace){
$$k = str_replace("$replace", "HEADER INJECTION", $v);
}
}
// make note of users deatils
$timedate = date("G:i:s, D F j, Y");
$sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
$_SERVER['REMOTE_HOST'] . " PHP Auth User: " . $_SERVER['PHP_AUTH_USER'];

include("mailer_conf.php"); # Call again to make sure the Email body has
the right info in it

if ($error_msg == '' ) {
$to = strtolower("$to_name <$to_email>\n");
$from = strtolower("From: $from_name <$from_email>");
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= $from."\n";
if ($cc_email <> '') {
$headers .= strtolower("cc: $cc_name <$cc_email>\n");
}

mail($to, $form_subject, $email_body, $headers);
echo $message_sent_msg;
} else {
echo $error_msg;
}
session_unset();
session_destroy();
?>





--------------------------------------------------------------------------------
I am using the free version of SPAMfighter for private users.
It has removed 1384 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!


.

Relevant Pages

  • Re: Reading remote Session ID
    ... require that the IP that makes the request for the page be the same ... capability of the user, if it's a script the js will fail, so require ... I am using the free version of SPAMfighter for private users. ... It has removed 1384 spam emails to date. ...
    (alt.php)
  • Re: Reading remote Session ID
    ... require that the IP that makes the request for the page be the same ... Using a session i nice here. ... capability of the user, if it's a script the js will fail, so require ... Lastly can they auto submit to the process script via their own script or ...
    (alt.php)
  • Cyclonic Webmail 4 multiple vulnerabilities
    ... Cyclonic is a webbased interface allowing users to handle emails ... Since the server is specified by the client, ... The script passes the username and password ... Session Hijacking ...
    (Bugtraq)
  • Re: [PHP] System wide variable
    ... Is it possible to have a writeable variable that has the scope of EVERY script that is run through the parser? ... Your options are basically 1) use the database instead of the file, or 2) try memcached. ... would it cause major overhead if a script was to start a session, update some session vars, then switch to a common session_id that each script can access? ... Depending on the session implementation you are using, PHP locks the session data for the duration of the request. ...
    (php.general)
  • Re: batching script on the web
    ... >I'd like to make a script that can request pages on the web, ... >very helpfull. ... >while keeping a http session open on the server side. ...
    (comp.lang.python)