Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Adding some security to mathCaptcha()  (Read 5666 times)

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Adding some security to mathCaptcha()
« on: March 06, 2007, 03:13:08 PM »

There was something about this mathCaptcha() that didn't quite registered until lately. It's implementation not only sends expression and input field for result entry to client browser, but also hidden field with result itself. And value of that hidden field afterwards is send back to server and used to compare against value in field sum.

Thus, if automated posting system wants to bypass this it shouldn't even need to bother with expression parsing. All it has to do is set both fields (sum and calc) to the same number (any) and send it to server along with comment or whatever mathCaptcha() is supposed to protect at that moment.

To have any effect on security mathCaptcha() expected value should be kept at server side only. Then for bypassing at least that expression will have to be parsed.

My code for this follows:
Code: [Select]
// MATH CAPTCHA
function mathCaptcha() {
   $x = rand(1, 9);
   $y = rand(1, 9);
   $math = '<p><label for="c">* '.l('math_captcha').':</label>
';
   $math .= $x.' + '.$y.' = ';
   $math .= '<input type="text" name="calc" id="c" style="width: 30px;" /></p><p>';
   $xplusy = $x + $y;
   $math .= "<input type=\"hidden\" name=\"sum\" id=\"sum\" value=\"" . rand(1, 18) . "\" /></p>";
   $_SESSION['mathCaptcha-digit'] = $xplusy;
   return $math;
}

function checkMathCaptcha( $inSum = '', $inCalc = '') {
   $result = false;
   $testNumber = isset($_SESSION['mathCaptcha-digit']) ? $_SESSION['mathCaptcha-digit'] : 'none';
   unset($_SESSION['mathCaptcha-digit']);
   if ( is_numeric($testNumber) && is_numeric($inCalc) && ($testNumber == $inCalc)) {
      $result = true;
   }
   return $result;
}
I left sum field in place; however, it's value as such is ignored. Similar mod should be applied to wordy mathCaptcha as well.
« Last Edit: September 24, 2007, 11:52:17 AM by codetwist »
Logged

philmoz

  • High flyer
  • ULTIMATE member
  • ******
  • Karma: 161
  • Posts: 1988
    • fiddle 'n fly
Adding some security to mathCaptcha()
« Reply #1 on: March 06, 2007, 07:07:32 PM »

yep, this also protects againsts flooding.... which current one fails on.

usage in those places that check for mathCaptcha result, something like
Quote
$calc = checkMathCaptcha( $_POST['sum']', $_POST['calc'])? true : null;
Although the hidden field, as mentioned, is no longer required, so it may be removed from above code, and $_POST['sum']' removed from the checking line.

I do know that mathCaptcha is being tweaked in next update.
Logged
Of all the things I have lost, it is my mind that I miss the most.

codetwist

  • Hero Member
  • *****
  • Karma: 50
  • Posts: 940
Adding some security to mathCaptcha()
« Reply #2 on: March 06, 2007, 07:37:13 PM »

Ok, thanks for info.

Sufficient usage is:
Code: [Select]
   $calc = checkMathCaptcha( $_POST['sum'], $_POST['calc'] );as this function explicitly returns True if captcha passed and False in all other cases. No need for ? true : null construct.
« Last Edit: September 24, 2007, 11:52:37 AM by codetwist »
Logged

piXelatedEmpire

  • MIA
  • ULTIMATE member
  • ******
  • Karma: 37
  • Posts: 1401
  • currently MIA
Adding some security to mathCaptcha()
« Reply #3 on: March 08, 2007, 07:52:45 AM »

this is a good post codetwist, thanks :)
please note the mathCaptcha function is being revised for the next scheduled release due shortly :)
Logged
my apologies to the sNews crew, but I will be MIA for the forseeable future

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: Adding some security to mathCaptcha()
« Reply #4 on: November 08, 2008, 04:13:29 PM »

this is a good post codetwist, thanks :)
please note the mathCaptcha function is being revised for the next scheduled release due shortly :)

 ... and it was not.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6019
  • Semantically Challenged
    • snews.ca
Re: Adding some security to mathCaptcha()
« Reply #5 on: November 11, 2008, 04:41:03 PM »

this is a good post codetwist, thanks :)
please note the mathCaptcha function is being revised for the next scheduled release due shortly :)

 ... and it was not.

PLEASE NOTE: This patch has been posted in the 1.6 Patches and Fixes Board and added to the Official Download as of today, November 11.08.

Also note that the "Latest Revision Update" notice is now a sticky at the top of the 1.6 Patches and Fixes Board and the latest updates will be posted there as I add them to the Official Download.
« Last Edit: November 12, 2008, 02:47:08 AM by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

funlw65

  • Hero Member
  • *****
  • Karma: 96
  • Posts: 771
    • Country Lab
Re: Adding some security to mathCaptcha()
« Reply #6 on: November 11, 2008, 11:22:02 PM »

Thank you Keys!
Logged