dcsimg
www.webdeveloper.com
Results 1 to 11 of 11

Thread: Form Security?

  1. #1
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150

    Angry Form Security?

    Is there such a thing?

    I just finished installing a form script TFmail from nms and got 6 spam forms this morning. I also just installed a new message board (Vanilla) for the very same reason. The old board was simply spammed to death. And suddenly the old form would not work for anybody ... but it DID work for me. ??? Both the old board and form were on my site for 4 years without any troubles.

    I'm am assuming this is not a planned personal attack. Or is it? Is there some way to find out WHO and WHY but most importantly ... how can I stop it?

  2. #2
    Join Date
    Aug 2004
    Posts
    140
    Did you "undo" the old form script? If the script is still on your server someone can possibly use it via URL such as:
    http://www.yourdomain.com/cgi-bin/fo...Spam+Spam+Spam

    Does the TFmail have anyway to block people from submitting the form without actually visiting your web page?

    You may also want to investigate installing some kind of CAPTCHA script, etc.

  3. #3
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150
    Yes, I have deleted the old form script. The emails are definitiely replies to the new script; they have the new heading I added. Yes, I thought about using a CAPTCHA on my old board but decided to go with a completely new one which requires approval/sign-in/password. I'll look into CAPTCHA for the form. You are assuming this is the work of robots?


    Does the TFmail have anyway to block people from submitting the form without actually visiting your web page?
    ??????????? Please clarify. Without who visiting the web page?

  4. #4
    Join Date
    Aug 2004
    Posts
    140
    Yep. More than likely your getting spammed by someone's automated script. There are scripts that a hacker can run which will show what programs/scripts you are running or have installed and then the plug & play the spam. You can try changing the name of your scripts when you originally install them and that may throw them off a bit. I use bnbform.cgi on some of my stuff, but I always change the name to form.cgi or bob.cgi to make it a little more obscure. Your cgi-bin directory should be setup so that people can't browse it or get a directory listing that shows everything located in it, but not all web servers are set up the same and there are some talented hackers out there.

    Some scripts are setup so that a visitor can only submit your form from the actual web page that the form is located on instead of using a program or script to send the data via URL as in my example above. The TFmail script has a section in it regarding Session ID's - I think you want to investigate that more - it's a way of giving your user a "token" that's only valid while they are on a particular page (or logged in for a particular time) and is no longer valid when they leave the page/session. If the session ID doesn't match what the script is expecting then it won't submit the form.

  5. #5
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150
    OK ... I get it. My old form was a bnb script (BigNoseBird heehee.) Anyway ... I'll investigate the Session ID aspect of TFmail and I'm currently writing a captcha test. It puts the form itself into a php file which resides in a password protected directory. I'll let you know ...

  6. #6
    Join Date
    Aug 2004
    Posts
    140
    I made a "faux" captcha for my bnbform by creating several captcha graphics that have number sequences such as: 45r6%K and Y6v8$4 which are randomly displayed every time the page loads and then in my script I have:
    if ($captcha =~ /45r6%K|Y6v8$4/) {call email subroutine} else {invalid entry} - this is not a true turing test, but bob-the-robot isn't going to know there are only 10 combinations. If you do your graphics well enough (with enough white noise, etc.) then you'll defeat some of the OCR programs (but not all). There's lots of websites regarding this if you check out google and wiki.

  7. #7
    Join Date
    Nov 2002
    Location
    Baltimore, Maryland
    Posts
    12,279
    And much written about how captchas cause much harm and little good. They make you site inaccessible to people with certain disabilities.
    “The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.”
    —Tim Berners-Lee, W3C Director and inventor of the World Wide Web

  8. #8
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150
    I made a "faux" captcha for my bnbform by creating several captcha graphics that have number sequences such as: 45r6%K and Y6v8$4 which are randomly displayed every time the page loads and then in my script I have:
    if ($captcha =~ /45r6%K|Y6v8$4/) {call email subroutine} else {invalid entry} - this is not a true turing test, but bob-the-robot isn't going to know there are only 10 combinations. If you do your graphics well enough (with enough white noise, etc.) then you'll defeat some of the OCR programs (but not all). There's lots of websites regarding this if you check out google and wiki.


    Yes ... I see. I can do that. I was planning to change the graphic and code by hand. I had to pull my script out of the password protected directory since the applicants don't know the password ... what was I thinking? Anyway .. so far so good. No spam today and I was getting about 6/day. I'll read more about the subject. Thank you.

  9. #9
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150
    No spam since I imposed the captcha. But another question .. actually two since you (Watts) seem familiar with TFmail.

    When the email form results are returned, there appears at the bottom:"submit.x:53" and "submit.y:12" ... the actual numbers are different each time. What is this? Where did it come from? Why needed? Can I eliminate?

    I would like to send a letter of welcome to the user via email as I did on the previous membership form. How to do it? Simply putting in some lines of sendmail code does not work ...TFmail is object oriented??? By the way, I hate perl.

    PS I have asked these same questions on the nms support page but no response.
    Last edited by PittsburghRed; 01-28-2007 at 02:38 PM.

  10. #10
    Join Date
    Aug 2004
    Posts
    140
    I've never used TFmail - I only looked at the source code since you had a question about it (sorry)...

    Try eliminating the submit.x and y part (comment it out with a # sign) and see if it still works. If not - add it back in.

    You should be able to add in a subroutine to send a welcome letter somewhere in the script. I don't see why it wouldn't work. I'll look at the source code later if you want - not sure I can help, but I'll try.

  11. #11
    Join Date
    Jan 2004
    Location
    Sarasota, FL
    Posts
    150
    Thanks Watts. I posted my prior two questions in a new thread ..."TFmail auto response... because I didn't think anybody would find it here. Go see.

    I did put in some lines that sent a txt file of collected info from another script that I had working that collected input from a survey form. I actually wrote the script myself. Anyway... it didn't work in TFmail. Cannot quote error message precisely; will run it again and show you.

    Perl is not my favorite language. And TFmail is particularly cryptic. I was able to display my own "Thank You" and "Oops You Missed Required Fields"; I just replaced the templates that TFmail calls. But I could not find where or how it actually sends the email results.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles