1 (edited by 2011-05-30 20:30:19)

Topic: [HACK] Spam protection in CuteNews UTF-8

The latest version of CuteNews UTF-8 comes with a build Captcha, our rather a pluginable captcha.
More instructions can be found at http://korn19.ch/coding/utf8-cutenews/image-captcha.php

Below some captcha alternatives:

* Hidden input fields.

2 (edited by 2011-05-30 20:26:57)

Re: [HACK] Spam protection in CuteNews UTF-8

Hack name: Hidden input fields
Description: This hack was based on an article posted here.
It's an attempt to fool spambots into thinking there is no spam protection and giving input fields random obscure names so there isn't a real pattern to input fields names. Visitors will notice nothing about the spam protection; No captchas or anything they need to fill out.
Filou83 updated the instructions for CuteNews UTF-8 (9.0) and higher and made some good changes to it. Smileys work with this hack, which wasn't the case for the original hack.
Auhtor:  FUNimations, Filou83
Instructions:
We need editing the shows.inc.php in "cutenews/inc/" directory.

find

$user_query = cute_query_string($QUERY_STRING, array( "comm_start_from","start_from", "archive", "subaction", "id", "ucat"));

add above or below

$priv_salt="somestring";

CHANGE the word somestring to some sort of securitycode (like sec183459 or sth. like that) you make up. And leave the quotes!

find

    $name = trim($name);
    $mail = trim($mail);
    $id = (int) $id;

and replace with

    $salt_name = md5($priv_salt.date('z'));
    $salt = $_POST[$salt_name];
    if(empty($salt))
    {
        $salt_name = md5($priv_salt.(date('z')-1));
        $salt = $_POST[$salt_name];
    }
    $obsc_name = sha1('name'.$salt );
    $obsc_mail = sha1( 'mail'.$salt );
    $obsc_comment = sha1('comment'.$salt );
    $true_name = sha1('tname'.$salt );
    $true_mail = sha1('tmail'.$salt);
    $true_comment = sha1('tcomment'.$salt);
    $name = trim($_POST[$true_name]);
    $mail = trim($_POST[$true_mail]);
    $submit = trim($_POST['submit']);
    $comments = trim($_POST[$true_comment]);
    $id = (int) $id;

find

    if(strlen(utf8_decode($comments)) > $config_comment_max_long and $config_comment_max_long != '' and $config_comment_max_long != '0'){
        echo '<div style="text-align: center">'.$say['comm_long'].'</div>';
        $CN_HALT = TRUE;
        break 1;
    }

and add below

    if( $submit == "Add My Spam"){
        echo "<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
        $CN_HALT = TRUE;
        break 1;
    }
    //SPAMPROT
    if(strlen(trim($_POST[$obsc_name])) >0 || strlen(trim($_POST[$obsc_mail])) >0 || strlen(trim($_POST[$obsc_comment])) >0)
    {
        echo "<div style=\"text-align: center;\">Spambot detected. Don't worry if you're not!</div>";
        $CN_HALT = TRUE;
        break 1;
    }

find

                echo '<div style="text-align: center">'.$say['pass_prompt'].'

                   <form name=passwordForm id=passwordForm method="post" accept-charset="utf-8" action="">
                   '.$say['password'].': <input type="password" name="password" />
                   <input type="hidden" name="name" value="'.$name.'" />
                   <input type="hidden" name="comments" value="'.$comments.'" />
                   <input type="hidden" name="mail" value="'.$mail.'" />
                   <input type="hidden" name="ip" value="'.$ip.'" />
                   <input type="hidden" name="subaction" value="addcomment" />
                   <input type="hidden" name="show" value="'.$show.'" />
                   <input type="hidden" name="ucat" value="'.$ucat.'" />
                   '.$user_post_query;

replace with

    //SPAMPROT
                $salt_name = md5($priv_salt.date('z'));
                $salt = $_POST[$salt_name];
                if(empty($salt))
                {

                    $salt_name = md5($priv_salt.(date('z')-1));
                }
                $obsc_name = sha1('name'.$salt );
                $obsc_mail = sha1( 'mail'.$salt );
                $obsc_comment = sha1('comment'.$salt );
                $true_name = sha1('tname'.$salt );
                $true_mail = sha1('tmail'.$salt);
                $true_comment = sha1('tcomment'.$salt);
                echo '<div style="text-align: center">'.$say['pass_prompt'].'

                   <form name=passwordForm id=passwordForm method="post" accept-charset="utf-8" action="">
                   '.$say['password'].': <input type="password" name="password" />
                   <input type="hidden" name="$true_name" value="'.$name.'" />
                   <input type="hidden" name="$true_comments" value="'.$comments.'" />
                   <input type="hidden" name="$true_mail" value="'.$mail.'" />
                   <input type="hidden" name="ip" value="'.$ip.'" />
                   <input type="hidden" name="subaction" value="addcomment" />
                   <input type="hidden" name="show" value="'.$show.'" />
                   <input type="hidden" name="ucat" value="'.$ucat.'" />
                   <input type="hidden" name="$salt_name" value="'.$salt.'" />
                   <input type="hidden" name="$obsc_name" value="'.$_POST[$obsc_name].'" />
                   <input type="hidden" name="$obsc_mail" value="'.$_POST[$obsc_mail].'" />
                   <input type="hidden" name="$obsc_comment" value="'.$_POST[$obsc_comment].'" />
                   '.$user_post_query;

find

    $smilies_form = "\n<script type=\"text/javascript\">
    //<![CDATA[
    function insertext(text){
    document.comment.comments.value+=\" \"+ text;
    document.comment.comments.focus();
    }
    //]]></script>
    <noscript>".$say['no_js']."
    </noscript>".insertSmilies('short', FALSE);

replace with

    $smilies_form = insertSmilies('short', FALSE);

find

$template_form = str_replace('{smilies}', $smilies_form, $template_form);

replace with

//SPAMPROT
    $salt = md5(time()+$_GET['id']+$_SERVER['REMOTE_ADDR']);
    $salt_name = md5($priv_salt.date('z'));
    $obsc_name = sha1('name'.$salt );
    $obsc_mail = sha1( 'mail'.$salt );
    $obsc_comment = sha1('comment'.$salt );
    $true_name = sha1('tname'.$salt );
    $true_mail = sha1('tmail'.$salt);
    $true_comment = sha1('tcomment'.$salt);
    $show = t.sha1( 'show'.$salt );//css classname may never start with a number
    $hide = t.sha1( 'hide'.$salt );//css classname may never start with a number

    $template_form = str_replace('{smilies}', $smilies_form, $template_form);
    $template_form = str_replace('{spam-input-name}', $obsc_name, $template_form);
    $template_form = str_replace('{spam-input-mail}', $obsc_mail, $template_form);
    $template_form = str_replace('{spam-input-comment}', $obsc_comment, $template_form);
    $template_form = str_replace('{real-input-name}', $true_name, $template_form);
    $template_form = str_replace('{real-input-mail}', $true_mail, $template_form);
    $template_form = str_replace('{real-input-comment}', $true_comment, $template_form);
    $template_form = str_replace('{show}', $show, $template_form);
    $template_form = str_replace('{hide}', $hide, $template_form);

The following inserts css-definitions and the insert-smileys javascript before the form (version A). If you don't (and won't) use smileys in your comments form, you could use version B instead.
find

    echo "<form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\">".$template_form."<div><input type=\"hidden\" name=\"subaction\" value=\"addcomment\" />
        <input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";

replace with version A

    echo "\n
        <style type=\"text/css\">.".$show."{display:inline;} .".$hide."{display:none;}</style>
        <script type=\"text/javascript\">
        //<![CDATA[
        function insertext(text){
        document.getElementById(\"".$true_comment."\").value+=\" \"+ text;
        document.getElementById(\"".$true_comment."\").focus();
        }
        //]]></script>
        <noscript>".$say['no_js']."
        </noscript>
        <form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\"><input type=\"hidden\" name=\"".$salt_name."\" value=\"".$salt."\" />".$template_form."<div>
        <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";

or replace with version B for comments form without smileys (smileys will not work!)

    echo "\n
        <style type=\"text/css\">.".$show."{display:inline;} .".$hide."{display:none;}</style>
        <form accept-charset=\"utf-8\" $CN_remember_form  method=\"post\" name=\"comment\" id=\"comment\" action=\"\"><input type=\"hidden\" name=\"".$salt_name."\" value=\"".$salt."\" />".$template_form."<div>
        <input type=\"hidden\" name=\"subaction\" value=\"addcomment\" /><input type=\"hidden\" name=\"ucat\" value=\"$ucat\" />";

close shows.inc.php, save changes and upload the modified file.
Next change ALL your templates (the comments form part) like following.
First find (based on the default template)

<input type="submit" name="submit" value="Add My Comment">

and repalce it with

<span class="{hide}"><input type="submit" name="submit" value="Add My Spam"></span><span class="{show}"> <input type="submit" name="submit" value="Add My Comment"> </span>


Next we are going to replace all input fields:

<input type="text" name="name">

to

<span class="{show}"><input type="text" name="{real-input-name}"></span><span class="{hide}"><input type="text" name="{spam-input-name}"></span>


<input type="text" name="mail">

to

<span class="{show}"><input type="text" name="{real-input-mail}"></span><span class="{hide}"><input type="text" name="{spam-input-mail}"> </span>


The id-tag also has to be changed because of the changed javascript function:

<textarea cols="40" rows="6" id=commentsbox name="comments"></textarea>

to

<span class="{show}"><textarea cols="40" rows="6" id="{real-input-comment}" name="{real-input-comment}"></textarea></span><span class="{hide}"><textarea cols="40" rows="6" id="{spam-input-comment}" name="{spam-input-comment}"></textarea></span>

And save the new template. That is all. Now it may be good for you to understand what the change in the template does. For each field we create a dummy field. The dummy fields will be invisible, so users won't notice them and won't be able to fill anything in. Bots however won't notice them as being invisible, so they will submit values for those fields. When CN detects the dummy fields as being filled in, it'll know it's a bot.
Now what you should know is that around every input field there is a span. You are free to swith the dummy field and the REAL field but don't forget to switch the span aswell so you don't accidently make the dummy fields visible and the rela fields invisible. It's a good idea to do some random ordering with these fields, so we don't have a standard

real dummy, real, dummy, real, dummy

order but you get something like

dummy real, dummy, dummy, real, real

Posts: 3

Pages 1

You must login or register to post a reply

CutePHP Forums → Hacks & Tricks / FAQ → [HACK] Spam protection in CuteNews UTF-8