CuteNews

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> [HACK] Spam protection in CuteNews UTF-8, List of different hacks
FUNimations
post May 30 2011, 08:18 PM
Post #1


CuteNews Support Crew Pimp
***

Group: Support
Posts: 16,512
Joined: 28-August 05
From: Belgium
Member No.: 5,662



The latest version of CuteNews UTF-8 comes with a build Captcha, our rather a pluginable captcha.
More instructions can be found at http://korn19.ch/coding/utf8-cutenews/image-captcha.php

Below some captcha alternatives:


--------------------

General FAQ
Spam Protection In Cutenews
Comments get deleted
_______________________
<< If you appreciate my help
Go to the top of the page
 
+Quote Post
FUNimations
post May 30 2011, 08:25 PM
Post #2


CuteNews Support Crew Pimp
***

Group: Support
Posts: 16,512
Joined: 28-August 05
From: Belgium
Member No.: 5,662



Hack name: Hidden input fields
Description: This hack was based on an article posted here.
It's an attempt to fool spambots into thinking there is no spam protection and giving input fields random obscure names so there isn't a real pattern to input fields names. Visitors will notice nothing about the spam protection; No captchas or anything they need to fill out.
Filou83 updated the instructions for CuteNews UTF-8 (9.0) and higher and made some good changes to it. Smileys work with this hack, which wasn't the case for the original hack.
Auhtor: FUNimations, Filou83
Instructions:
We need editing the shows.inc.php in "cutenews/inc/" directory.

find
CODE
$user_query = cute_query_string($QUERY_STRING, array( "comm_start_from","start_from", "archive", "subaction", "id", "ucat"));
add above or below
CODE
$priv_salt="somestring";
CHANGE the word somestring to some sort of securitycode (like sec183459 or sth. like that) you make up. And leave the quotes!

find
CODE
    $name = trim($name);
    $mail = trim($mail);
    $id = (int) $id;
and replace with
CODE
    $salt_name = md5($priv_salt.date('z'));
    $salt = $_POST[$salt_name];
    if(empty($salt))
    {
        $salt_name = md5($priv_salt.(date('z')-1));
        $salt = $_POST[$salt_name];
    }
    $obsc_name = sha1('name'.$salt );
    $obsc_mail = sha1( 'mail'.$salt );
    $obsc_comment = sha1('comment'.$salt );
    $true_name = sha1('tname'.$salt );
    $true_mail = sha1('tmail'.$salt);
    $true_comment = sha1('tcomment'.$salt);
    $name = trim($_POST[$true_name]);
    $mail = trim($_POST[$true_mail]);
    $submit = trim($_POST['submit']);
    $comments = trim($_POST[$true_comment]);
    $id = (int) $id;


find
CODE
    if(strlen(utf8_decode($comments)) > $config_comment_max_long and $config_comment_max_long != '' and $config_comment_max_long != '0'){
        echo '<div style="text-align: center">'.$say['comm_long'].'</div>';
        $CN_HALT = TRUE;
        break 1;
    }
and add below
CODE
    if( $submit == "Add My Spam"){
        echo "<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
        $CN_HALT = TRUE;
        break 1;
    }
    //SPAMPROT
    if(strlen(trim($_POST[$obsc_name])) >0 || strlen(trim($_POST[$obsc_mail])) >0 || strlen(trim($_POST[$obsc_comment])) >0)
    {
        echo "<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
        $CN_HALT = TRUE;
        break 1;
    }


find
CODE
                echo '<div style="text-align: center">'.$say['pass_prompt'].'<br />
                   <form name=passwordForm id=passwordForm method="post" accept-charset="utf-8" action="">
                   '.$say['password'].': <input type="password" name="password" />
                   <input type="hidden" name="name" value="'.$name.'" />
                   <input type="hidden" name="comments" value="'.$comments.'" />
                   <input type="hidden" name="mail" value="'.$mail.'" />
                   <input type="hidden" name="ip" value="'.$ip.'" />
                   <input type="hidden" name="subaction" value="addcomment" />
                   <input type="hidden" name="show" value="'.$show.'" />
                   <input type="hidden" name="ucat" value="'.$ucat.'" />
                   '.$user_post_query;
replace with
CODE
    //SPAMPROT
                $salt_name = md5($priv_salt.date('z'));
                $salt = $_POST[$salt_name];
                if(empty($salt))
                {

                    $salt_name = md5($priv_salt.(date('z')-1));
                }
                $obsc_name = sha1('name'.$salt );
                $obsc_mail = sha1( 'mail'.$salt );
                $obsc_comment = sha1('comment'.$salt );
                $true_name = sha1('tname'.$salt );
                $true_mail = sha1('tmail'.$salt);
                $true_comment = sha1('tcomment'.$salt);
                echo '<div style="text-align: center">'.$say['pass_prompt'].'<br />
                   <form name=passwordForm id=passwordForm method="post" accept-charset="utf-8" action="">
                   '.$say['password'].': <input type="password" name="password" />
                   <input type="hidden" name="$true_name" value="'.$name.'" />
                   <input type="hidden" name="$true_comments" value="'.$comments.'" />
                   <input type="hidden" name="$true_mail" value="'.$mail.'" />
                   <input type="hidden" name="ip" value="'.$ip.'" />
                   <input type="hidden" name="subaction" value="addcomment" />
                   <input type="hidden" name="show" value="'.$show.'" />
                   <input type="hidden" name="ucat" value="'.$ucat.'" />
                   <input type="hidden" name="$salt_name" value="'.$salt.'" />
                   <input type="hidden" name="$obsc_name" value="'.$_POST[$obsc_name].'" />
                   <input type="hidden" name="$obsc_mail" value="'.$_POST[$obsc_mail].'" />
                   <input type="hidden" name="$obsc_comment" value="'.$_POST[$obsc_comment].'" />
                   '.$user_post_query;


find
CODE
    $smilies_form = "\n<script type=\"text/javascript\">
    //<![CDATA[
    function insertext(text){
    document.comment.comments.value+=\" \"+ text;
    document.comment.comments.focus();
    }
    //]]></script>
    <noscript>".$say['no_js']."
    </noscript>".insertSmilies('short', FALSE);
replace with
CODE
    $smilies_form = insertSmilies('short', FALSE);


find
CODE
$template_form = str_replace('{smilies}', $smilies_form, $template_form);
replace with
CODE
//SPAMPROT
    $salt = md5(time()+$_GET['id']+$_SERVER['REMOTE_ADDR']);
    $salt_name = md5($priv_salt.date('z'));
    $obsc_name = sha1('name'.$salt );
    $obsc_mail = sha1( 'mail'.$salt );
    $obsc_comment = sha1('comment'.$salt );
    $true_name = sha1('tname'.$salt );
    $true_mail = sha1('tmail'.$salt);
    $true_comment = sha1('tcomment'.$salt);
    $show = t.sha1( 'show'.$salt );//css classname may never start with a number
    $hide = t.sha1( 'hide'.$salt );//css classname may never start with a number

    $template_form = str_replace('{smilies}', $smilies_form, $template_form);
    $template_form = str_replace('{spam-input-name}', $obsc_name, $template_form);
    $template_form = str_replace('{spam-input-mail}', $obsc_mail, $template_form);
    $template_form = str_replace('{spam-input-comment}', $obsc_comment, $template_form);
    $template_form = str_replace('{real-input-name}', $true_name, $template_form);
    $template_form = str_replace('{real-input-mail}', $true_mail, $template_form);
    $template_form = str_replace('{real-input-comment}', $true_comment, $template_form);
    $template_form = str_replace('{show}', $show, $template_form);
    $template_form = str_replace('{hide}', $hide, $template_form);


The following inserts css-definitions and the insert-smileys javascript before the form (version A). If you don't (and won't) use smileys in your comments form, you could use version B instead.
find
CODE
    echo "<form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\">".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" />
        <input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";
replace with version A
CODE
    echo "\n
        <style type=\"text/css\">.".$show."{display:inline;} .".$hide."{display:none;}</style>
        <script type=\"text/javascript\">
        //<![CDATA[
        function insertext(text){
        document.getElementById(\"".$true_comment."\").value+=\" \"+ text;
        document.getElementById(\"".$true_comment."\").focus();
        }
        //]]></script>
        <noscript>".$say['no_js']."
        </noscript>
        <form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\"><input type=\"hidden\" name=\"".$salt_name."\" value=\"".$salt."\" />".$template_form."<div>
        <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";
or replace with version B for comments form without smileys (smileys will not work!)
CODE
    echo "\n
        <style type=\"text/css\">.".$show."{display:inline;} .".$hide."{display:none;}</style>
        <form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\"><input type=\"hidden\" name=\"".$salt_name."\" value=\"".$salt."\" />".$template_form."<div>
        <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";


close shows.inc.php, save changes and upload the modified file.
Next change ALL your templates (the comments form part) like following.
First find (based on the default template)
CODE
<input type="submit" name="submit" value="Add My Comment">
and repalce it with
CODE
<span class="{hide}"><input type="submit" name="submit" value="Add My Spam"></span><span class="{show}"> <input type="submit" name="submit" value="Add My Comment"> </span>

Next we are going to replace all input fields:
CODE
<input type="text" name="name">
to
CODE
<span class="{show}"><input type="text" name="{real-input-name}"></span><span class="{hide}"><input type="text" name="{spam-input-name}"></span>

CODE
<input type="text" name="mail">
to
CODE
<span class="{show}"><input type="text" name="{real-input-mail}"></span><span class="{hide}"><input type="text" name="{spam-input-mail}"> </span>

The id-tag also has to be changed because of the changed javascript function:
CODE
<textarea cols="40" rows="6" id=commentsbox name="comments"></textarea>
to
CODE
<span class="{show}"><textarea cols="40" rows="6" id="{real-input-comment}" name="{real-input-comment}"></textarea></span><span class="{hide}"><textarea cols="40" rows="6" id="{spam-input-comment}" name="{spam-input-comment}"></textarea></span>


And save the new template. That is all. Now it may be good for you to understand what the change in the template does. For each field we create a dummy field. The dummy fields will be invisible, so users won't notice them and won't be able to fill anything in. Bots however won't notice them as being invisible, so they will submit values for those fields. When CN detects the dummy fields as being filled in, it'll know it's a bot.
Now what you should know is that around every input field there is a span. You are free to swith the dummy field and the REAL field but don't forget to switch the span aswell so you don't accidently make the dummy fields visible and the rela fields invisible. It's a good idea to do some random ordering with these fields, so we don't have a standard
QUOTE
real dummy, real, dummy, real, dummy
order but you get something like
QUOTE
dummy real, dummy, dummy, real, real


--------------------

General FAQ
Spam Protection In Cutenews
Comments get deleted
_______________________
<< If you appreciate my help
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



RSS Lo-Fi Version Time is now: 21st October 2014 - 10:15 AM