Post by cozzmyn » Wed Jan 15, 2014 4:56 pm

Hi guys,

I'm new here, so i don't know if this is the right place to post, but here is my problem:

I have a website based on Opencart 1.5.1.3. On every product page, i have a form, so the customers can send inquiries. It's a simple form, 7 text inputs (company, email, etc.) and a send button. This form sends an email to me with the data from those input fields.

Since yesterday I began receiving emails every few minutes with random data like "YchqHvE0". I've tried 2 types of captchas (native opencart captcha and the "google style captcha" extension). It passed both of them. Now i've setup reCAPTCHA and guess what? IT PASSES this one too :o

For now it's all being sent to a log file so the mailbox stays free, but i don't know what to do. I'm thinking to try the honeypot method (simple captcha hidden by css) and if it get's completed it doesn't send the form :)

Any idea would be appreciated.

Thank you!

Newbie

Posts

Joined
Wed Jan 15, 2014 4:28 pm

Post by ogun » Wed Jan 15, 2014 5:29 pm

Aye - a hidden form element/hidden captcha sounds like a good thing to add, but if the spam's gone through three methods already, are you sure the PHP is doing everything it should? It sounds like passing the captcha isn't required by whatever is actually handling the feedback form.

What happens if you test it by hand, does the captcha work? What happens if you write a little PHP script to just post everything the form is posting (minus the captcha or with some default value for the captcha) directly to whatever PHP is processing the form?

Active Member

Posts

Joined
Tue Aug 14, 2007 6:04 am

Post by cozzmyn » Wed Jan 15, 2014 7:04 pm

Hi ogun, and thanks for the quick reply!

At first i also thought that the php isn't validating properly but if i manually enter the values it doesn't pass unless the captcha is correct.

Here is how reCaptcha is implemented.

The form in product.tpl:

Code: Select all

<?php
        require_once('system/library/recaptchalib.php');
  	$publickey = "changed this with my public key";
  	echo recaptcha_get_html($publickey);
?>
Here is the validation function in /catalog/controller/product/product.php

I've stripped everything to the bone and just log if the captcha validation was passed or not, and the POSTarray.

Code: Select all

<?php
      private function validation() {
	
		require_once('system/library/recaptchalib.php');
	
		$privatekey = "my private key here";
		$resp = recaptcha_check_answer ($privatekey,
				$_SERVER["REMOTE_ADDR"],
				$_POST["recaptcha_challenge_field"],
				$_POST["recaptcha_response_field"]);
	
		if (!$resp->is_valid) {
			// What happens when the CAPTCHA was entered incorrectly
	
			$log_text = 'Failed captcha validation:  ';
				
		} else {
			// Your code here to handle a successful verification
	
			$log_text = 'CAPTCHA VALIDATION SUCCESSFUL:  ';
		}
	
		//log
		$this->load->library('log');
		foreach ($this->request->post as $k=>$v)
		{
			$log_text .= $k. '=>' .$v. ',';
		}
	
		$log = new Log('spam.txt');
		$log->write($log_text);
	
		return TRUE;
	}
?>
And this is what i get in the log file:

2014-01-15 12:49:25 - CAPTCHA VALIDATION SUCCESSFUL:
fax=>jvILLp95,
oras=>xTI97FYv03Y,
observatii=>Acabei de enviar um permriio e-mail para todos os incritos no curso ate9 agora. Se vocea ne3o recebeu o email, me avise (por aqui ou por email ),
telefon=>Kjpt2xGwOe,
nume=>Oynn2lxO45M8,
email=>wstewart@idahofallszoo.org,
compania=>dmhB1x4S,
recaptcha_response_field=>manual_challenge,
recaptcha_challenge_field=>03AHJ_VuszJKbmyVpIrSwQhoJWZeLLc8g7uNdox2XLAVMPj9wD9SdxHBmuluxRjEzldpk_hDxNu7Zz0AMRwCF34WbdpBh6zArzpjDWCz0yE0zRWEqSk954p3AXSJG3MdOvLCpqABc1sUSJ1kSDA7nFk2gLvbTmoXxtvA,

You can see that captcha was passed, but still the recaptcha_response_field says manual_challenge. This is where the actual text from captcha should be. If i manually enter, recaptcha_response_field gets what i enter....

Thanks again for the time, I'm trying the hidden captcha solution now.

Newbie

Posts

Joined
Wed Jan 15, 2014 4:28 pm

Post by cozzmyn » Wed Jan 15, 2014 8:19 pm

For now it seems the reverse psychology works. The bot enters the captcha and no email is sent but the humans don't see the captcha so the form gets through. :)

Still i can't figure out why reCaptcha failed. I think they are manually solving those captchas.

Newbie

Posts

Joined
Wed Jan 15, 2014 4:28 pm
Who is online

Users browsing this forum: Bing [Bot] and 23 guests