11
Mamba
Re: Security module Profile
  • 2013/10/3 6:27

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Well, I am glad somebody did listen!
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

12
tatane
Re: Security module Profile
  • 2013/10/3 7:29

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


look at the picture below, you will see that only the administrator are allowed to view and edit these fields. So excuse me but this is a good a security problem.

Resized Image

13
tatane
Re: Security module Profile
  • 2013/10/3 7:51

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Quote:

Cesag wrote:
This Method, recommended by Mamba here seems to work


Unfortunately all spammers are not referenced on this site. Besides now beautiful spammer use extension @outlook

14
redheadedrod
Re: Security module Profile

I will try to spend a little time this weekend and look at this and see what I can do. I am busy with other stuff but if I can figure out something quickly I will see if I can implement something.

It might be a quick hack until something more secure can be done. But I will look into it.


15
Mamba
Re: Security module Profile
  • 2013/10/3 12:58

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Tatane, can you try the 2-step registration, and let us know if this had an impact?
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

16
tatane
Re: Security module Profile
  • 2013/10/3 13:04

  • tatane

  • Just can't stay away

  • Posts: 649

  • Since: 2008/5/6 1


Quote:

Mamba wrote:
Tatane, can you try the 2-step registration, and let us know if this had an impact?


How so? I purposely put a step to simplify the registration

17
Mamba
Re: Security module Profile
  • 2013/10/3 13:12

  • Mamba

  • Moderator

  • Posts: 11366

  • Since: 2004/4/23


Quote:
How so? I purposely put a step to simplify the registration

Because it improves your security and minimize the number of bots registering to your Website.
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

18
geekwright
Re: Security module Profile

As far as I can see, if the field name is valid and if the named field is presented in $_POST, it will be processed and added to the database.

It would be better if the program determined the list of inputs it should expect at the current stage, pulled and cleaned those from $_POST up front, and then worked only from that copy, not directly from the $_POST data. Currently, it merges previous step entries into $_POST and works from that.

This is an annoyance, but the input is still processed just as it would be if the field was part of the entry form.

The 'attack' in this case is not sophisticated. If is just a simple form in an HTML file that points to the real registration form as the action:

<form action="http://localhost/modules/profile/register.php" method="post" >
<
input type="text" name="user_icq" value="icqvalue" />
<
input type='submit' name='submitButton' value='Submit' title='Submit'  />
</
form>


Spammers are generally paid workers, and they use toolkits that use forms like these to automate as much data entry as possible. The payload is usually the links included. The dummy value in each field is just to make sure nothing required is omitted.

This is a bug, but by itself it has no security implications; input is handled just as it would be if the field was actually legitimately presented.

19
redheadedrod
Re: Security module Profile

We should be looking to get Profile to check the data on a registration and check its "signature". The registration script should be aware of what is supposed to be entered.

The registration should then look at what is returned and decide what to do with the information. Only if it matches the proper signature should it be brought forward without limitation.

If there is a difference then we know it is an automated registration and you can either block the registration and log the IP as banned or place them as a user in a different group.

The actual signature should be a list of the expected fields.
You should also be able to enter some Hidden fields into the form as well to insure that they are not just automating a common form. This hidden field can contain randomized information that the registration should expect back.


20
redheadedrod
Re: Security module Profile

I have a couple big projects to complete for class this weekend but I will try to look at Profile and see what I can come up with.

Unless I hear from Richard that he has changed it already.

Login

Who's Online

192 user(s) are online (119 user(s) are browsing Support Forums)


Members: 0


Guests: 192


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits