Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#169 Blogs open to spam comments, even if anti-spam is enabled

closed
nobody
Comments (19)
9
2006-09-15
2006-08-11
No

I've had a lot of spam robots creating comments on my
blog lately, even if I enable anti spam (both image and
non-image capcha's). Therefore, I dug into the problem
and found out what the problem is: The capcha code
checks if

$_POST[ 'comment_capcha' ] == $_SESSION[ 'capcha_' .
$_POST[ 'entry' ] ]

in comment_add_cgi.php.

If the browser/spam robot did not visit comments.php or
has cookies disabled, no capcha has been created and
stored in the session. Therefore, the value of

$_SESSION[ 'capcha_' . $_POST[ 'entry' ] ]

is empty and therefore equal to

$_POST[ 'comment_capcha' ]

if the post includes an empty 'comment_capcha'
parameter. This is exactly what the spam robot does and
why it's possible to post comments by circumventing the
anti-spam systems employed in Simple PHP blog.

This issue can be fixed by including these lines:

if (!$logged_in && $_SESSION[ 'capcha_' . $_POST[
'entry' ] ] == '') {
// Capcha did not exist in session, so comment
poster did not come from comments page,
// where this should have been created. User is
probably a spam robot.
$fieldsExist = false;
}

in comment_add_cgi.php, just before the line that
checks the validity of the capcha. This code checks
that a capcha has been stored in the session or the
user is logged in. Otherwise, the post of a comment is
aborted.

I've attached a simple HTML file that shows how simple
it is to spam comments on any blog. You just need to
fill in [blog-url], [y], [m] and [entry] strings in the
file, open it in a browser and submit the form.

Discussion

  • Exploit

     
    Attachments
    • labels: 629514 --> Comments
    • priority: 5 --> 9
     
  • Yehaah
    Yehaah
    2006-08-13

    Logged In: YES
    user_id=1018267

    Great!

    Thanks Normann

     
  • Yehaah
    Yehaah
    2006-08-24

    Logged In: YES
    user_id=1018267

    Is it possible to get any info on how the work on a bug fix
    is going?
    I'm removing between 5 and 10 spam comments every day, and
    get a lot of questions from users on why I can't stop the
    SPAM, and when there will come a solution.

    Any info, that I can pass on?

     
  • Bill Bateman
    Bill Bateman
    2006-08-31

    Logged In: YES
    user_id=1338564

    I will be implementing a variation of this change today.
    Please read the main page (www.simplephpblog.com) for more
    information.

    Bill

     
  • Bill Bateman
    Bill Bateman
    2006-08-31

    Logged In: YES
    user_id=1338564

    It's been implemented in the comments. We already had code
    like this in the contact us page.

    Thanks Jan...

    Bill

     
  • Bill Bateman
    Bill Bateman
    2006-08-31

    • status: open --> pending
     
    • status: pending --> closed
     
  • Logged In: YES
    user_id=1312539

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).