I use the latest version v1.5.1.3. Glad to see captcha on the Contact Us form. I also followed the instruction in this post to add captcha to registration form and all login forms:
ADD CAPTCHA to Registration in 1.5.1
Then I realised there is a security hole in this approach: OpenCart generates captcha when "information/contact/captcha" is requested for displaying an image (so every time the page is refreshed, the captcha is changed), then it is stored in the session object. When the form is posted, it compares the input with the session value.
The problem is that a robot won't refresh page, so the captcha won't get changed. Then it will try to post the forms with different captchas.
This potential issue can be improved by generating the captcha in each POST. Here are details:
1. When "information/contact/captcha" is requested, if the session captcha value is null, generate one and store in session, otherwise just return the existing one.
2. In the POST method handler of each controller where captcha is needed, regenerate the captcha and store in session for next use.
not a security issue. why can you not put a more fitting title like captcha problem in the title?
it does not give somebody access to hack some ones site!!!!
the worst thing that will happen is that you will receive an email!
it does not give somebody access to hack some ones site!!!!
the worst thing that will happen is that you will receive an email!
OpenCart®
Project Owner & Developer.
just change
if (!isset($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}
to
if (empty($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}
actually i don;t think this can be pulled off like you say.
if (!isset($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}
to
if (empty($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}
actually i don;t think this can be pulled off like you say.
OpenCart®
Project Owner & Developer.
I considered this as a security issue because I applied it to the admin login form as I said - sorry if the tittle did worried you!
RE: "the worst thing that will happen is that you will receive an email!"
If a robot can post the form once successfully, it can easily post 1 million times.
RE: "the worst thing that will happen is that you will receive an email!"
If a robot can post the form once successfully, it can easily post 1 million times.
@BobHL: So, if I'm understanding correctly, you are assuming that a robot would visit the contact page the first time (which would generate a captcha and store it in the session) and then subsequently fire off a huge number of POST requests trying to guess the captcha? And since the robot never refreshes the page and only fires off a POST, the captcha in the session that is used to compare against always remains the same? If this is what you mean, I think it hardly seems like an issue, since it could take millions of guesses before the robot ever succeeded in brute-forcing the captcha.
OpenCart Extensions, Technical Support & Custom Development | Have I helped you?
Who is online
Users browsing this forum: No registered users and 32 guests