Re: [PHP] if http_referer is not reliable then how do we ...
Capchas can't hold off any decently smart robots, anyone doing their research can find at least 3 tools that will defeat various capchas. For example pwntcha is one, Dan Kaminsky did a talk at black hat and defcon 16 on pwning audio capchas (and a lot of even good ones will offer audio as an option) bottom line is capchas don't really hold off determined robots. As far as referrer goes, yes it can be easily spoofed, no there is no really built-in way to test it, yes the script can still be made pretty secure. But here are two ways i can think of to help prevent bots from taking over your email script (ideally use them together): Tokenize your URL, build a token based on the http_referrer amongst other things, just make sure you use something that would identify a normal user consistently, and say only allow one token say 5 emails a day. When referrer and token don't match, dont send an email. Use a strong hash algorithm, like sha to generate the token, and salt it, and add a something at every level. For example, use http_referrer for user piece, some random string of 32 characters hard coded into your script, and if you touch a DB, something you pull when you validate the email, from your db (not the email itself, something randomly generated when that email was added). This way, having even 2 bits of information, you still can't reverse the hashes. Note to not use a random value, you want a consistent hash that you can check. Set a timeout for your script, that is pause your server side script for 10 seconds before sending an email, and pop back a confirmation before actually sending the email after that (use a session to make sure they are not bypassing that bit). This forces any script to confirm their action, meaning they will have to execute for at least 10 seconds, meaning that they can only send 10 emails a minute, and for anyone who wants to do mass spamming with your script, that's unacceptable. By the way, don't set this time in JS, set an ajax request that actually needs data that gets pulled from the server to continue (like a secret random password stored in the session), just a simple time-out won't solve the issue. Both used together should provide for a good way to stop any useful spamming done with your script. ~ Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] pcntl_fork, catching STDOUT of child?
Hello, PHP noob here. I've been working on writing a script (command-line) that forks a number of children to do various tasks. I've been using pcntl_waitpid inside a loop to wait for the children to exit, act on the results, and fork another copy of the child. Where I seem to be running into trouble is in managing communication between child and parent, so that the parent has an indication of result inside the child. In the past, I've done this in Perl using something along the lines of: open(FILEHANDLE,"-|"); In Perl, this has the effect of forking the process and attaching the STDOUT of the child to FILEHANDLE on the parent. Thus, when the child exits, I read FILEHANDLE to get the output from the child. Is there a similar way of achieving a similar result in PHP? Am I crazy? So far, I have tried to communicate between the processes using sockets (socket_create_pair). However, this seems to be a dead-end, I get a "connection reset by peer" when I try to socket_read() from the parent. I assume this is because the socket is closed by the exit of the child. Any insight or criticism is appreciated. -- Thomas Johnson ClaimLynx, Inc. <952-593-5969%20x2302>
Re: [PHP] if http_referer is not reliable then how do we ...
On Tue, Jan 17, 2012 at 2:34 AM, ma...@behnke.biz wrote: > You should not write the recipients email address in a hidden form, but > instead > read it from a config file. This way you can make sure, that no one alters it. > Although this won't stop anyone from using the mailform. Cannot emphasize this enough -- don't allow anyone to submit the destination addresses to your script. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions and expirations and isolations
On Tue, Jan 17, 2012 at 5:17 PM, Haluk Karamete wrote: > This brings the question to the following; > WHEN DOES THE SERVER KNOW THAT A USER IS REALLY GONE OR HE CLOSED HIS BROWSER? Just addressing this quesiton -- you are correct that the browser does not tell the application when it closes. What *does* happen is that the cookie associated with that browser session is destroyed or nullified, thus when the use reopens their browser and opens the application again, there won't be a session cookie sent to the application on start. As explained above, this has nothing to do with how long the session data may be stored on the server, it just won't be accessed if the browser has been closed in the meantime. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] which server variables from this list can be spoofed?
I marked those I already know as "can", $_SERVER['REMOTE_ADDR'] CAN $_SERVER['HTTP_REFERER'] CAN $_SERVER['HTTP_USER_AGENT'] CAN $_SERVER['REQUEST_URI'] CAN ( cause it contains the query string part and user/hacker can easily change that ) Those I'm not too sure are as follows; $_SERVER['SERVER_NAME'] $_SERVER['DOCUMENT_ROOT'] $_SERVER['SCRIPT_NAME'] $_SERVER['PHP_SELF'] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] which server variables from this list can be spoofed?
On Fri, Jan 20, 2012 at 10:07 AM, Haluk Karamete wrote: > I marked those I already know as "can", > > $_SERVER['REMOTE_ADDR'] CAN > $_SERVER['HTTP_REFERER'] CAN > $_SERVER['HTTP_USER_AGENT'] CAN > $_SERVER['REQUEST_URI'] CAN ( cause it contains the query string > part and user/hacker can easily change that ) > > Those I'm not too sure are as follows; > > $_SERVER['SERVER_NAME'] > $_SERVER['DOCUMENT_ROOT'] > $_SERVER['SCRIPT_NAME'] > $_SERVER['PHP_SELF'] All of 'em. However, SERVER_NAME, DOCUMENT_ROOT, and SCRIPT_NAME come from the server, so it would have to be whoever controls the server doing the spoofing. PHP_SELF could probably be faked in the code if done creatively. Naturally, no one would try to do this intentionally, but I wonder if something mischievous could be done with this if code was included from an external source. -- Ghodmode http://www.ghodmode.com/blog -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] pcntl_fork, catching STDOUT of child?
Have a look at zeromq. http://vimeo.com/20605470 http://zguide.zeromq.org/php:all Hope it helps. On Fri, Jan 20, 2012 at 12:24 AM, Thomas Johnson wrote: > Hello, > > PHP noob here. I've been working on writing a script (command-line) that > forks a number of children to do various tasks. I've been using > pcntl_waitpid inside a loop to wait for the children to exit, act on the > results, and fork another copy of the child. Where I seem to be running > into trouble is in managing communication between child and parent, so that > the parent has an indication of result inside the child. > > In the past, I've done this in Perl using something along the lines of: > > open(FILEHANDLE,"-|"); > > In Perl, this has the effect of forking the process and attaching the > STDOUT of the child to FILEHANDLE on the parent. Thus, when the child > exits, I read FILEHANDLE to get the output from the child. > > Is there a similar way of achieving a similar result in PHP? Am I crazy? So > far, I have tried to communicate between the processes using sockets > (socket_create_pair). However, this seems to be a dead-end, I get a > "connection reset by peer" when I try to socket_read() from the parent. I > assume this is because the socket is closed by the exit of the child. > > Any insight or criticism is appreciated. > > -- > Thomas Johnson > ClaimLynx, Inc. <952-593-5969%20x2302> >
