Community Forums

by **BobHL** » Thu Nov 24, 2011 12:46 pm

I use the latest version v1.5.1.3. Glad to see captcha on the Contact Us form. I also followed the instruction in this post to add captcha to registration form and all login forms:
ADD CAPTCHA to Registration in 1.5.1

Then I realised there is a security hole in this approach: OpenCart generates captcha when "information/contact/captcha" is requested for displaying an image (so every time the page is refreshed, the captcha is changed), then it is stored in the session object. When the form is posted, it compares the input with the session value.

The problem is that a robot won't refresh page, so the captcha won't get changed. Then it will try to post the forms with different captchas.

This potential issue can be improved by generating the captcha in each POST. Here are details:
1. When "information/contact/captcha" is requested, if the session captcha value is null, generate one and store in session, otherwise just return the existing one.
2. In the POST method handler of each controller where captcha is needed, regenerate the captcha and store in session for next use.

by **Daniel** » Thu Nov 24, 2011 1:08 pm

not a security issue. why can you not put a more fitting title like captcha problem in the title?

it does not give somebody access to hack some ones site!!!!

the worst thing that will happen is that you will receive an email!

by **Daniel** » Thu Nov 24, 2011 1:10 pm

just change

if (!isset($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}

to

if (empty($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}

actually i don;t think this can be pulled off like you say.

by **BobHL** » Fri Nov 25, 2011 12:29 pm

I considered this as a security issue because I applied it to the admin login form as I said - sorry if the tittle did worried you!

RE: "the worst thing that will happen is that you will receive an email!"
If a robot can post the form once successfully, it can easily post 1 million times.

by **Daniel** » Fri Nov 25, 2011 1:30 pm

so you come up with unlikely situation to justify posting a stupid title.

i have had contact forms with no captcha protection they never got 1 million emails!

by **Daniel** » Fri Nov 25, 2011 1:37 pm

als your hack will not work because you would not get a null captcha stored in the session.

by **d7a7z7e7d** » Tue Nov 29, 2011 5:55 am

@BobHL: So, if I'm understanding correctly, you are assuming that a robot would visit the contact page the first time (which would generate a captcha and store it in the session) and then subsequently fire off a huge number of POST requests trying to guess the captcha? And since the robot never refreshes the page and only fires off a POST, the captcha in the session that is used to compare against always remains the same? If this is what you mean, I think it hardly seems like an issue, since it could take millions of guesses before the robot ever succeeded in brute-forcing the captcha.