Post by BobHL » Thu Nov 24, 2011 8:46 pm

I use the latest version v1.5.1.3. Glad to see captcha on the Contact Us form. I also followed the instruction in this post to add captcha to registration form and all login forms:
ADD CAPTCHA to Registration in 1.5.1

Then I realised there is a security hole in this approach: OpenCart generates captcha when "information/contact/captcha" is requested for displaying an image (so every time the page is refreshed, the captcha is changed), then it is stored in the session object. When the form is posted, it compares the input with the session value.

The problem is that a robot won't refresh page, so the captcha won't get changed. Then it will try to post the forms with different captchas.

This potential issue can be improved by generating the captcha in each POST. Here are details:
1. When "information/contact/captcha" is requested, if the session captcha value is null, generate one and store in session, otherwise just return the existing one.
2. In the POST method handler of each controller where captcha is needed, regenerate the captcha and store in session for next use.
Last edited by i2Paq on Fri Nov 25, 2011 3:22 am, edited 1 time in total.
Reason: Title adjusted

Newbie

Posts

Joined
Thu Nov 10, 2011 8:55 pm

Post by Daniel » Thu Nov 24, 2011 9:08 pm

not a security issue. why can you not put a more fitting title like captcha problem in the title?

it does not give somebody access to hack some ones site!!!!


the worst thing that will happen is that you will receive an email!

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Thu Nov 24, 2011 9:10 pm

just change

if (!isset($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}

to

if (empty($this->session->data['captcha']) || ($this->session->data['captcha'] != $this->request->post['captcha'])) {
$this->error['captcha'] = $this->language->get('error_captcha');
}


actually i don;t think this can be pulled off like you say.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by BobHL » Fri Nov 25, 2011 8:29 pm

I considered this as a security issue because I applied it to the admin login form as I said - sorry if the tittle did worried you!

RE: "the worst thing that will happen is that you will receive an email!"
If a robot can post the form once successfully, it can easily post 1 million times.

Newbie

Posts

Joined
Thu Nov 10, 2011 8:55 pm

Post by Daniel » Fri Nov 25, 2011 9:30 pm

so you come up with unlikely situation to justify posting a stupid title.

i have had contact forms with no captcha protection they never got 1 million emails!

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Fri Nov 25, 2011 9:37 pm

als your hack will not work because you would not get a null captcha stored in the session.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by d7a7z7e7d » Tue Nov 29, 2011 1:55 pm

@BobHL: So, if I'm understanding correctly, you are assuming that a robot would visit the contact page the first time (which would generate a captcha and store it in the session) and then subsequently fire off a huge number of POST requests trying to guess the captcha? And since the robot never refreshes the page and only fires off a POST, the captcha in the session that is used to compare against always remains the same? If this is what you mean, I think it hardly seems like an issue, since it could take millions of guesses before the robot ever succeeded in brute-forcing the captcha.

Image
OpenCart Extensions, Technical Support & Custom Development | Have I helped you?


User avatar
Active Member

Posts

Joined
Fri Sep 17, 2010 5:51 am
Location - USA
Who is online

Users browsing this forum: No registered users and 32 guests