Feeback wanted on site with PHP exercices

Re: Feeback wanted on site with PHP exercices


Thx for the tip on securing the mail page sample. I don't have your email
so I'll do it here :)

Cheers,
Tom Pester
[color=blue]
> Hi guys,
>
> I made a site that you all can critize (you have carte blanche :))
>
> http://thereference.webhop.org
>
> I do appreciate postive feedback though.
>
> Cheers,
> Tom Pester[/color]

Re: Feeback wanted on site with PHP exercices

"tom pester" wrote:
[color=blue]
>
> Thx for the tip on securing the mail page sample. I don't have your email
> so I'll do it here :)[/color]

It's still insecure, Tom.

There's nothing stopping me writing my own form with the "humanSum" and
"sum" fields set to the same value.

In fact I don't even need a form. All I have to do is send a request to this
URL: <http://[your domain]/mailPage.php?em ail=spam.me@exa mple.com&url=ht tp:
%2F%2Fviagraspa m.com&humanSum= 0&sendmail=Send +email&sum=0>. I can do that
hundreds of times a second with different email addresses.

I really think you should take this page down until you know what you're
doing.

--
phil [dot] ronan @ virgin [dot] net

Re: Feeback wanted on site with PHP exercices

Hi phil,

How would you secure this page?

Cheers,
Tom Pester
[color=blue]
> "tom pester" wrote:
>[color=green]
>> Thx for the tip on securing the mail page sample. I don't have your
>> email so I'll do it here :)
>>[/color]
> It's still insecure, Tom.
>
> There's nothing stopping me writing my own form with the "humanSum"
> and "sum" fields set to the same value.
>
> In fact I don't even need a form. All I have to do is send a request
> to this URL: <http://[your
> domain]/mailPage.php?em ail=spam.me@exa mple.com&url=ht tp:
> %2F%2Fviagraspa m.com&humanSum= 0&sendmail=Send +email&sum=0>. I can do
> that hundreds of times a second with different email addresses.
>
> I really think you should take this page down until you know what
> you're doing.
>[/color]

Re: Feeback wanted on site with PHP exercices

"tom pester" wrote:
[color=blue]
> Hi phil,
>
> How would you secure this page?
>
> Cheers,
> Tom Pester[/color]

By taking it offline!

Turing numbers would help, but if you publish your source code you'll still
make things relatively easy for the spammers:

<http://www.google.com/search?q=%22tur ing+numbers%22>

--
phil [dot] ronan @ virgin [dot] net

Re: Feeback wanted on site with PHP exercices

> Turing numbers would help

I know about these but I kept it simple and performed another (inadequate)
turing test.
Computer can add as the best and it won't be long till they can read those
images too (if they can't already).
[color=blue]
> but if you publish your source code you'll
> still make things relatively easy for the spammers:[/color]

I made the decision to publish the source code so I would write more secure
code.
I think secure code that solely relies on obfuscation is not good enough.
Code is really secure if a hacker can't break it even if he knows how its
implemented.

I rewrote the addition test with a session and a measure to avoid replay
attacks.
Can you think of another way to circumvent the test other than to parse the
file and let a computer to the addition?

Re: Feeback wanted on site with PHP exercices

"tom pester" wrote:
[color=blue][color=green]
>> Turing numbers would help[/color]
>
> I know about these but I kept it simple and performed another (inadequate)
> turing test.
> Computer can add as the best and it won't be long till they can read those
> images too (if they can't already).[/color]

Not true. Optical character recognition works fine in cases where the
position, size and colour of the characters is approximately known. But
unusual character styles (e.g. <http://www.adsmalta.co m/?reason=recover >)
and/or random noise and deformation applied to the image (e.g.
<http://blast4dollars.c om/list.php>) make things far more difficult.

On the other hand, extracting two numbers from the HTML source of a web page
and adding them together is ridiculously easy. A combination of
file_get_conten ts() and simple string matching is all you need.
[color=blue][color=green]
>> but if you publish your source code you'll
>> still make things relatively easy for the spammers:[/color]
>
> I made the decision to publish the source code so I would write more secure
> code.
> I think secure code that solely relies on obfuscation is not good enough.
> Code is really secure if a hacker can't break it even if he knows how its
> implemented.[/color]

Well I suggest you start by learning how to write secure code before you
publish all this stuff. You're really asking for trouble.
[color=blue]
> I rewrote the addition test with a session and a measure to avoid replay
> attacks.[/color]

A futile effort, unfortunately.
[color=blue]
> Can you think of another way to circumvent the test other than to parse the
> file and let a computer to the addition?[/color]

Do I need to think of another way? It would take me 5 minutes to write a
script to crack your "security". In another 5 minutes I could have sent
hundreds of emails from your site.

Take the page down before it's too late.

--
phil [dot] ronan @ virgin [dot] net

Re: Feeback wanted on site with PHP exercices

Hi Phil,
[color=blue]
> On the other hand, extracting two numbers from the HTML source of a
> web page and adding them together is ridiculously easy. A combination
> of file_get_conten ts() and simple string matching is all you need.[/color]

My point is that there is no real difference between the turing numbers and
the addition other than turing number are more difficult to read (fo now).
[color=blue]
> Well I suggest you start by learning how to write secure code before
> you publish all this stuff. You're really asking for trouble.[/color]

I don't think the script will get abused easily.
I'll monitor the script and see if it gets abused though.
[color=blue][color=green]
>> Can you think of another way to circumvent the test other than to
>> parse the file and let a computer to the addition?[/color]
> Do I need to think of another way? It would take me 5 minutes to write
> a script to crack your "security". In another 5 minutes I could have
> sent hundreds of emails from your site.[/color]

Can you take these 5 mintues to come up with a script that cracks the security
without parsing the numbers and do the addition?
Thx for your time!

Cheers,
Tom Pester

Re: Feeback wanted on site with PHP exercices

Hi Phil,

I am displaying the source and even php.ini to make my coding style better.
It's hosted on 1 of my home on a pc's with no sensitive data so if you can
crack it go ahead.

Do you know of any possible attacks that a hacker could launch after seeing
the output of phpInfo?

Cheers,
Tom Pester
[color=blue]
> "tom pester" wrote:
>[color=green][color=darkred]
>>> Turing numbers would help
>>>[/color]
>> I know about these but I kept it simple and performed another
>> (inadequate)
>> turing test.
>> Computer can add as the best and it won't be long till they can read
>> those
>> images too (if they can't already).[/color]
> Not true. Optical character recognition works fine in cases where the
> position, size and colour of the characters is approximately known.
> But unusual character styles (e.g.
> <http://www.adsmalta.co m/?reason=recover >) and/or random noise and
> deformation applied to the image (e.g.
> <http://blast4dollars.c om/list.php>) make things far more difficult.
>
> On the other hand, extracting two numbers from the HTML source of a
> web page and adding them together is ridiculously easy. A combination
> of file_get_conten ts() and simple string matching is all you need.
>[color=green][color=darkred]
>>> but if you publish your source code you'll
>>> still make things relatively easy for the spammers:[/color]
>> I made the decision to publish the source code so I would write more
>> secure
>> code.
>> I think secure code that solely relies on obfuscation is not good
>> enough.
>> Code is really secure if a hacker can't break it even if he knows how
>> its
>> implemented.[/color]
> Well I suggest you start by learning how to write secure code before
> you publish all this stuff. You're really asking for trouble.
>[color=green]
>> I rewrote the addition test with a session and a measure to avoid
>> replay attacks.
>>[/color]
> A futile effort, unfortunately.
>[color=green]
>> Can you think of another way to circumvent the test other than to
>> parse the file and let a computer to the addition?
>>[/color]
> Do I need to think of another way? It would take me 5 minutes to write
> a script to crack your "security". In another 5 minutes I could have
> sent hundreds of emails from your site.
>
> Take the page down before it's too late.
>[/color]

Re: Feeback wanted on site with PHP exercices

"tom pester" wrote:
[color=blue]
> Hi Phil,
>[color=green]
>> On the other hand, extracting two numbers from the HTML source of a
>> web page and adding them together is ridiculously easy. A combination
>> of file_get_conten ts() and simple string matching is all you need.[/color]
>
> My point is that there is no real difference between the turing numbers and
> the addition other than turing number are more difficult to read (fo now).[/color]

This took 2 minutes to write:

=============== =============== =============== ========
$s = file_get_conten ts("http://thereference.dy ndns.org:30000/MailPage.php");
$re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
if (preg_match($re ,$s,$m)) {
echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
echo 'Session ID = ' . $m[3];
} else echo "Couldn't find numbers";
=============== =============== =============== ========

Now I have the answer to your addition sum, and the session ID from your
"hidden" field. That wasn't difficult, was it?

Turing numbers are nowhere near as vulnerable. Implemented properly, they
are impossible for computers to read successfully without a lot of hard work
targeted at each specific implementation.

--
phil [dot] ronan @ virgin [dot] net

Re: Feeback wanted on site with PHP exercices

Hi Phil,
[color=blue]
> Now I have the answer to your addition sum, and the session ID from
> your "hidden" field. That wasn't difficult, was it?[/color]
[color=blue]
> Turing numbers are nowhere near as vulnerable. Implemented properly,
> they are impossible for computers to read successfully without a lot
> of hard work targeted at each specific implementation.[/color]

I asked for another way but thx for the script anyway...
I know it's easy to parse the numbers but can you think of another way to
abuse that page.

Again, my point is that turing numbers are a good solution _now_ and I will
use them in a commercial site.
But it's only a matter of time before computers can read turing numbers as
easily as tehy do addition now.

And this page isn't easily exploitable by a bot either. The spammer's bots
won't find this page automaticaly and if he stumbles upon it he has to do
some custom coding. I think he will go and look for an eaiser alternative
(which are plentyful).

There are other alternatives that are cost based in which the difficulty
of parsing a test outweighs the profit a spammer makes.
I remember reading a good article in scientific american about it.

Anyway, this is an exercice of me in making it as secure as possible with
the known limitation that a simple parsing circomvents it if the spammer
takes the trouble (which he won't ;)
Can you look at my question this way and see if there is a flaw in it?

Re: Feeback wanted on site with PHP exercices

On 2005-09-07, Philip Ronan <invalid@invali d.invalid> wrote:[color=blue]
> "tom pester" wrote:
>[color=green]
>> Hi Phil,
>>[color=darkred]
>>> On the other hand, extracting two numbers from the HTML source of a
>>> web page and adding them together is ridiculously easy. A combination
>>> of file_get_conten ts() and simple string matching is all you need.[/color]
>>
>> My point is that there is no real difference between the turing numbers and
>> the addition other than turing number are more difficult to read (fo now).[/color]
>
> This took 2 minutes to write:
>
>============== =============== =============== =========
> $s = file_get_conten ts("http://thereference.dy ndns.org:30000/MailPage.php");
> $re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid" value="([^"]+)"/m";
> if (preg_match($re ,$s,$m)) {
> echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
> echo 'Session ID = ' . $m[3];
> } else echo "Couldn't find numbers";
>============== =============== =============== =========
>
> Now I have the answer to your addition sum, and the session ID from your
> "hidden" field. That wasn't difficult, was it?[/color]

With the simpletest browser you only need to change those fields that
you are interested in ;) (No need to keep track of hidden stuff..)

<?php

ini_set('error_ reporting', E_ALL);
ini_set('displa y_errors', TRUE);
require_once('s impletest/browser.php');

$ua =& new SimpleBrowser;
$ua->get('http://thereference.dy ndns.org:30000/MailPage.php');
$content = $ua->getContentAsTe xt();
preg_match('#Ho w much is (\d+) \+ (\d+) \?#', $content, $matches);
$ua->setField('huma nSum', $matches[0][1] + $matches[0][2]);
$ua->setField('emai l', 'pester.1.timvw @spamgourmet.co m');
$ua->setField('url' , 'here we go...');
$ua->clickSubmit('S end email');

?>



--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be >

Re: Feeback wanted on site with PHP exercices

Hallo Tim,

Vriendelijke groetjes uit Antwerpen :)

Thanks for sharing that code. That class seems very powerful (more info at
sourceforge : http://sourceforge.net/projects/simpletest/).

I had to change
[color=blue]
> preg_match('#Ho w much is (\d+) \+ (\d+) \?#', $content, $matches);
> $ua->setField('huma nSum', $matches[0][1] + $matches[0][2]);[/color]

to

preg_match_all( '/How much is (\d+) \+ (\d+)/', $content, $matches);
$ua->setField('huma nSum', $matches[1][0] + $matches[2][0] );

Could you tell me why your code is a bit different. Is it because I develop
on a windows system?

I also would like to subscribe to your blog but it errors currently.

Groetjes,
Tom Pester


[color=blue]
> On 2005-09-07, Philip Ronan <invalid@invali d.invalid> wrote:
>[color=green]
>> "tom pester" wrote:
>>[color=darkred]
>>> Hi Phil,
>>>
>>>> On the other hand, extracting two numbers from the HTML source of a
>>>> web page and adding them together is ridiculously easy. A
>>>> combination of file_get_conten ts() and simple string matching is
>>>> all you need.
>>>>
>>> My point is that there is no real difference between the turing
>>> numbers and the addition other than turing number are more difficult
>>> to read (fo now).
>>>[/color]
>> This took 2 minutes to write:
>>
>> =============== =============== =============== ========
>> $s =
>> file_get_conten ts("http://thereference.dy ndns.org:30000/MailPage.php"
>> );
>> $re = "/much is ([0-9]+) \+ ([0-9]+) .* humanGuid"
>> value="([^"]+)"/m";
>> if (preg_match($re ,$s,$m)) {
>> echo 'Access code = ' . (1*$m[1]+1*$m[2]) . '\r\n';
>> echo 'Session ID = ' . $m[3];
>> } else echo "Couldn't find numbers";
>> =============== =============== =============== ========
>> Now I have the answer to your addition sum, and the session ID from
>> your "hidden" field. That wasn't difficult, was it?
>>[/color]
> With the simpletest browser you only need to change those fields that
> you are interested in ;) (No need to keep track of hidden stuff..)
>
> <?php
>
> ini_set('error_ reporting', E_ALL);
> ini_set('displa y_errors', TRUE);
> require_once('s impletest/browser.php');
> $ua =& new SimpleBrowser;
> $ua->get('http://thereference.dy ndns.org:30000/MailPage.php');
> $content = $ua->getContentAsTe xt();
> preg_match('#Ho w much is (\d+) \+ (\d+) \?#', $content, $matches);
> $ua->setField('huma nSum', $matches[0][1] + $matches[0][2]);
> $ua->setField('emai l', 'pester.1.timvw @spamgourmet.co m');
> $ua->setField('url' , 'here we go...');
> $ua->clickSubmit('S end email');
> ?>
>[/color]