Re: [PHP] Re: My own "captcha" from 2 years ago......
At 2:53 PM -0500 3/26/07, Richard Lynch wrote: If the code is embedded in the audio filename, or as part of the HTML, the CAPTCHA itself is kinda useless to a serious attack. The attacker will simply read the code from the HTML/URL I have not finished with the blind testing of my audio Captcha, so I would rather not show an example at the moment. But the sound file is assembled "on the fly" and always has the same name -- so, reading the file "access.mp3" doesn't tell the hacker anything. The key is in sessions and as such is relatively safe. Communication between application and Captcha contains a confirmable unique token. I think the technique is pretty secure. You need the secret code to never actually leave your server for it to stay secret. That said, CAPTCHA can usually be broken by OCR by a serious attacker, though that takes a little longer than simply reading the code from HTML. Presumably somebody somewhere could (or already has) hook up voice recognition to an audio CAPTCHA and defeat that as well. Well for that matter, a hacker could hire cheap labor read or listen to it. The point is to make it difficult for bots to get to it. Anything a computer can put create, another computer can interpret. The technology lag between one to the other is always only temporary and therein lies some temporary relief. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: My own "captcha" from 2 years ago......
Refresh was at 1 sec... Cause I was just playing with the images... And I
just figured it out... And responded to the list... But again... I had it
working the entire time, but I didn't have a form to submit something to
compare it to, which when I do that, it works, but it will never echo out
what is currently in the pic
> -Original Message-
> From: Richard Lynch [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 26, 2007 3:49 PM
> To: Jake McHenry
> Cc: 'itoctopus'; php-general@lists.php.net
> Subject: RE: [PHP] Re: My own "captcha" from 2 years ago..
>
> On Sat, March 24, 2007 11:00 pm, Jake McHenry wrote:
> > Index.php
> > > session_start();
> > header("Refresh: 1");
>
> I dunno what the heck the "Refresh" header is, but it would not shock
> me in the least that your sessions are getting "lost" because your
> browser does the refresh before it processes the cookie that maintains
> session state.
>
> A few zillion PHP CAPTCHA implementations use $_SESSION, so it's got
> to be you messing up somewhere. :-)
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.18/733 - Release
> Date: 3/25/2007 11:07 AM
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 3/25/2007
11:07 AM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: My own "captcha" from 2 years ago......
If the code is embedded in the audio filename, or as part of the HTML, the CAPTCHA itself is kinda useless to a serious attack. The attacker will simply read the code from the HTML/URL You need the secret code to never actually leave your server for it to stay secret. That said, CAPTCHA can usually be broken by OCR by a serious attacker, though that takes a little longer than simply reading the code from HTML. Presumably somebody somewhere could (or already has) hook up voice recognition to an audio CAPTCHA and defeat that as well. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Re: My own "captcha" from 2 years ago......
On Sat, March 24, 2007 11:00 pm, Jake McHenry wrote:
> Index.php
> session_start();
> header("Refresh: 1");
I dunno what the heck the "Refresh" header is, but it would not shock
me in the least that your sessions are getting "lost" because your
browser does the refresh before it processes the cookie that maintains
session state.
A few zillion PHP CAPTCHA implementations use $_SESSION, so it's got
to be you messing up somewhere. :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: My own "captcha" from 2 years ago......
At 5:05 PM +0200 3/25/07, Dotan Cohen wrote: On 25/03/07, tedd <[EMAIL PROTECTED]> wrote: What about an audio Captcha? Your thoughts? tedd I do a lot of my browsing at the university library. I can't have any sound being made there each time I must enter a capcha. Don't use audio, or provide an alternative. Dotan Cohen Dotan: I understand. There are all sorts of reasons why you want to provide more than just one form of captcha IF you're going to use something like that (sighted, blind, deaf, deaf-blind, dyslexic, and so on). And, there are all sorts of captchas that can be navigated by most. I was mainly interested in Tijnema's comments regarding sending the key for a captcha and how it could be cracked. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: My own "captcha" from 2 years ago......
On 25/03/07, tedd <[EMAIL PROTECTED]> wrote: What about an audio Captcha? Your thoughts? tedd I do a lot of my browsing at the university library. I can't have any sound being made there each time I must enter a capcha. Don't use audio, or provide an alternative. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/52/bad_english.html http://what-is-what.com/what_is/html.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: My own "captcha" from 2 years ago......
This is btw not a very useful CAPTCHA, because it should stop computers from submitting data, but a little bit smart programmer knows that he has to get session information from the image, and submit that to the form. Or what i saw used lately by a cracker, he was just using his own values in session and post, and so they matched :) So you should never send the same code as the code that has to be entered. Even encrypting with MD5 only won't stop hackers to defeat your script. Maybe you could use a database with this, so that you pass a reference to the real number shown. So that you have an ID and a CODE column. in rnum1.php you store the code into the database, and get the ID of the last one inserted (A discussion about this was around this list lately) Then you show the code in an image, and you store the ID in the session. Then you get ID from the session, then get the code from the database using the ID and compare it to the one entered in the form. Tijnema What about an audio Captcha? Your thoughts? tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: My own "captcha" from 2 years ago......
On 3/25/07, Jake McHenry <[EMAIL PROTECTED]> wrote:
Sorry.. Was playing around with dates and how long I've been sitting
here watching this generate random numbers. Lol .. The only lines
referring to the "captcha" are the img lines... As you can tell... Calling
the next script... Should I do it this way? I'm pretty sure that is the
problem, cause the session variable is being created and set in that second
script which is called Session[security_code] is created in rnum1.php,
and session[code] is created in rnum2.php... Which I didn't include here...
But is the same concept only bigger.
Index.php
";
$after = $_SESSION['security_code'];
if (!isset($_SESSION['start_time']))
{
$_SESSION['start_time'] = time();
}
else
{
$_SESSION['current_time'] = time();
}
$running_time = mktime(date("H", $_SESSION['current_time'])-date("H",
$_SESSION['start_time']), date("i", $_SESSION['current_time'])-date("i",
$_SESSION['start_time']), date("s", $_SESSION['current_time'])-date("s",
$_SESSION['start_time']), date("m", $_SESSION['start_time']), date("d",
$_SESSION['start_time']), date("Y", $_SESSION['start_time']));
echo 'Before: ' . $before . 'After: ' . $after . 'Time: ' .
date("H:i:s m-d-Y", $running_time) . '' .
$_SESSION['code'];
?>
Rnum1.php
I believe the way this script behaves is quite normal. Look at the way
the scripts are called. First index.php, then rnum1.php and then
rnum2.php.
First index.php is called and all session variables are posted with
that action. Then rnum1.php is called, and the session variables are
edited. Then rnum2.php is called, session variables are edited again,
but index.php is never called again, and so the session variables are
never send to the script. Until you load the script again.
So if you're implementing this in a POST form, the browser should
submit both POST and the right session variables to your parse script.
Example code which works :)
index.php:
";
echo "";
?>
parse.php:
This is btw not a very useful CAPTCHA, because it should stop
computers from submitting data, but a little bit smart programmer
knows that he has to get session information from the image, and
submit that to the form. Or what i saw used lately by a cracker, he
was just using his own values in session and post, and so they matched
:)
So you should never send the same code as the code that has to be
entered. Even encrypting with MD5 only won't stop hackers to defeat
your script. Maybe you could use a database with this, so that you
pass a reference to the real number shown. So that you have an ID and
a CODE column. in rnum1.php you store the code into the database, and
get the ID of the last one inserted (A discussion about this was
around this list lately) Then you show the code in an image, and you
store the ID in the session. Then you get ID from the session, then
get the code from the database using the ID and compare it to the one
entered in the form.
Tijnema
> -Original Message-
> From: itoctopus [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 25, 2007 12:49 AM
> To: php-general@lists.php.net
> Subject: [PHP] Re: My own "captcha" from 2 years ago..
>
> Hey Jake,
> I checked the thing, and I tell you I did lots and lots of
> captchas in my
> life and they mainly rely on the session.
> Is it possible for you to post the script so that me (or
> anyone else for
> that matter) fix it for you?
>
> Take care,
>
> --
> itoctopus - http://www.itoctopus.com
> ""Jake McHenry"" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Well, I've been creating my own... Since like two years
> ago... Lol.. But
> > this is the KNOWN name now. Anyways... How can I get
> the info from the
> > image creation script back to my main script? Sessions DO
> NOT WORK! They
> > give me the previous entry instead of the current.. Which
> obviously won't
> > work... This was on the back burner for a long time, but my
> boss said
> .
> > Oh wow.. That looks cool... And I told him I had started it
> a long time
> > ago.. But never finished it cause he told me to work on
> something else...
> > Anyways... U can see what I mean http://nittanytravel.com:8080/
> >
> > The numbers surrounding the images displayed are session
> values created in
> > the image scripts...which as you will see are the previous
> value It
> may
> > be a simple fix.. But once again... I'm tired... And had
> one too many long
> > island iced teas tonight to think about this. And
> yes... My boss works
> > me even on saturdays after happy hour :(
> >
> >
> > Thanks,
> > Jake
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> > 3:27 PM
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Dat
RE: [PHP] Re: My own "captcha" from 2 years ago......
Sorry.. Was playing around with dates and how long I've been sitting
here watching this generate random numbers. Lol .. The only lines
referring to the "captcha" are the img lines... As you can tell... Calling
the next script... Should I do it this way? I'm pretty sure that is the
problem, cause the session variable is being created and set in that second
script which is called Session[security_code] is created in rnum1.php,
and session[code] is created in rnum2.php... Which I didn't include here...
But is the same concept only bigger.
Index.php
";
$after = $_SESSION['security_code'];
if (!isset($_SESSION['start_time']))
{
$_SESSION['start_time'] = time();
}
else
{
$_SESSION['current_time'] = time();
}
$running_time = mktime(date("H", $_SESSION['current_time'])-date("H",
$_SESSION['start_time']), date("i", $_SESSION['current_time'])-date("i",
$_SESSION['start_time']), date("s", $_SESSION['current_time'])-date("s",
$_SESSION['start_time']), date("m", $_SESSION['start_time']), date("d",
$_SESSION['start_time']), date("Y", $_SESSION['start_time']));
echo 'Before: ' . $before . 'After: ' . $after . 'Time: ' .
date("H:i:s m-d-Y", $running_time) . '' .
$_SESSION['code'];
?>
Rnum1.php
> -Original Message-
> From: itoctopus [mailto:[EMAIL PROTECTED]
> Sent: Sunday, March 25, 2007 12:49 AM
> To: php-general@lists.php.net
> Subject: [PHP] Re: My own "captcha" from 2 years ago..
>
> Hey Jake,
> I checked the thing, and I tell you I did lots and lots of
> captchas in my
> life and they mainly rely on the session.
> Is it possible for you to post the script so that me (or
> anyone else for
> that matter) fix it for you?
>
> Take care,
>
> --
> itoctopus - http://www.itoctopus.com
> ""Jake McHenry"" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > Well, I've been creating my own... Since like two years
> ago... Lol.. But
> > this is the KNOWN name now. Anyways... How can I get
> the info from the
> > image creation script back to my main script? Sessions DO
> NOT WORK! They
> > give me the previous entry instead of the current.. Which
> obviously won't
> > work... This was on the back burner for a long time, but my
> boss said
> .
> > Oh wow.. That looks cool... And I told him I had started it
> a long time
> > ago.. But never finished it cause he told me to work on
> something else...
> > Anyways... U can see what I mean http://nittanytravel.com:8080/
> >
> > The numbers surrounding the images displayed are session
> values created in
> > the image scripts...which as you will see are the previous
> value It
> may
> > be a simple fix.. But once again... I'm tired... And had
> one too many long
> > island iced teas tonight to think about this. And
> yes... My boss works
> > me even on saturdays after happy hour :(
> >
> >
> > Thanks,
> > Jake
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> > 3:27 PM
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007 3:27 PM
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
3:27 PM
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
