Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: POST or action limit to increase security  (Read 19368 times)

0 Members and 1 Guest are viewing this topic.

Alisa

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
POST or action limit to increase security
« on: January 18, 2005, 09:22:14 pm »

Hello reader.

My tiny coppermine 1.3 was hit by an human made spam.
The comment-spammer wrote many nasty comments in few minutes.

I would like to have time limits for comments to avoid human and robot made spam.
I mean 1 comment for IP+HOST in a minute (time should be configureable).
For now I have the following code which is working in my other app.:

This code makes the ID = $id of sender. File name id.php, which ment to be a class-file
Code: [Select]
<?php
function ip() //should return an IP
{
if(
getenv("HTTP_X_FORWARDED_FOR")) return getenv("HTTP_X_FORWARDED_FOR");
elseif(
getenv("HTTP_CLIENT_IP")) return getenv("HTTP_CLIENT_IP");
elseif(
getenv("REMOTE_ADDR"))  return getenv("REMOTE_ADDR");
else return 
0;
}
$ip=ip();
$host=getenv("REMOTE_HOST");
$id=$ip.$host;
$id=md5($id); //md5 is not the best solution I guess, but it makes IDs even if there are no IP or HOST
return $id;
?>


This code is for checking IDs and manage them. File name idlog-class.php, which ment to be a class-file
Code: [Select]
<?php
//-Input $logfile, $duration, $id

class idlog{
var 
$exists 0//var for the existense of ID in a log
function idcheck($logfile$duration$id){
if(!
is_writable($logfile)) die("Logfile not ready"); //file-check
$idarray file($logfile);
$idarray2 = array();

//-ID-check, clean-up = managment
foreach($idarray as $line)
{
$idpart explode(":"$line);
if((
$idpart[0]+$duration)>time())
{
if(
trim($idpart[1])==$id$exists 1//-ID-check
$idarray2[]=trim($line)."\n";
}
}

//-makes a new clean id.log-file with fresh ID
$ramfile fopen($logfile"w");
if(!
$existsfwrite($ramfiletime().":".$id."\n");
foreach(
$idarray2 as $line) {fwrite($ramfiletrim($line)."\n");}
fclose($ramfile); //Save the new id.log-file
return $exists;
}
}
?>


This code is in the main file. It combines all the previous code and runs it. File name e.g. comment.php for saving comments
Code: [Select]
//
//violence check
ini_set('include_path', dirname(__FILE__));
$id=require_once("id.php"); $id or die("could not make the id");
require_once("idlog-class.php");
if(idlog::idcheck("/tmp/id.log", 60, $id)) die("Nothing send, wait 60 Seconds");
//
//-if the ID was new or fresh the code would go on.
//

ATTENTION: this code might contain bugs, because I just translated it from my native language.
NOTE: it was clean and working before translation.

I don't know where to implement this code or if it would work in coppermine 1.3.
Give me some advice or at least your oppinion about POST-limits for comments in coppermine.
NOTE: This is also feature request.
« Last Edit: January 19, 2005, 06:27:12 am by GauGau »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: POST or action limit to increase security
« Reply #1 on: January 19, 2005, 06:26:56 am »

This is a very valid point and a good idea, with comment spam being on the rise.

Joachim
Logged

Alisa

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
some issus for discussion.
« Reply #2 on: January 24, 2005, 07:35:34 pm »

As I see this request is marked with "valid". :D

There are some details to discuss before someone starts to implement the feature.

1. should the ID's be saved in files (as I did) or in a database ?
2. should the ID's stay as they are ( time+ip+host ) or converted with md5 ( as I did ) ?
3. default time for ID to remain in a log. 60 seconds or less ?
4. should this post-/-action-time-limit-feauture only be used for comments or be a class that could be used
to limit upload, registration, rating etc. ?

Post your proposals or oppinion on this feauture !
Logged

Alisa

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: New name for this feature request
« Reply #3 on: February 11, 2005, 09:28:42 pm »

I have a new name for this possible feature.

It could be named as POST-flood protection or just flood protection.

And if this feature is going to be used to limit time periods to wait for failed login attempts, (UNIX-like)
it could be named as brute-force protection.

Or have someone any other proposals ?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: POST or action limit to increase security
« Reply #4 on: February 12, 2005, 12:07:38 pm »

there already is some "flood protection" in place in other parts of coppermine's code. Anyway, names don't matter - let's see some actual code.

Joachim
Logged

Alisa

  • Coppermine newbie
  • Offline Offline
  • Posts: 11
Re: POST or action limit to increase security
« Reply #5 on: February 14, 2005, 11:24:37 pm »

Quote
names don't matter - let's see some actual code.

I am so sorry. I must have been misleading you.
I am not working on the implementation of the code from the first post.

I just wanted to give some hints on the feature request by providing a possible solution.
The name should make it easier to understand the agenda in this request.

Never mind!
The given code would work, if all files would be in same path with a writable "/tmp"-folder.
The logfiles have not to be created manually.
All you need is to call the given code before you process the $_POST-request.

But it would not be a real native implementation in coppermine,
or would it be so easy ?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: POST or action limit to increase security
« Reply #6 on: September 08, 2006, 08:44:26 am »

Reviewing this old thread I figured that it has a serious drawback: the environment vars the mod checks may not be populated in every scenario. Particularly spam bots probably won't populate them. Needs more looking into.
However, some other features have been added to the core code in the devel branch to reduce comment spam.
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 6006
Re: POST or action limit to increase security
« Reply #7 on: September 08, 2006, 12:31:55 pm »

Flood protection by IP has some drawbacks. First to name is IP spoofing and secondly one may have legit surfers having the same IP (once all the AOL surfers). I remeber visitor stats where 5-10% of my surfers had the same IP address(es).

Best is to use flood protection only for registered users (if webmasters are afraid of comment spam they should allow commenting only for registered users anyways). Then before a user is allowed to comment the script grabs the timestamp from his last comment, compares it with the actual time and allows/ denies commenting depending on a certain value set in config. That's the easiest and most secure way and what I use for the PM script.
Logged
my CPG sandbox: Version 1.4.18 with modpack running my Tentacle theme:
http://stramm.st.funpic.org/

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: POST or action limit to increase security
« Reply #8 on: September 12, 2006, 10:45:37 am »

So do you think that the suggested feature should be implemented in cpg1.5.x (with the subsequent database changes needed) in addition to the other comment improvements we have added so far?
I have no idea about the numbers of comment spam performed by registered users. As far as I can see, comment spammers will use the easiest way to drop their comments, which is attacking sites that allow guest comments.
In my personal gallery (intermediate-sized with 12k+ pics that is based on cpg1.4.x with guest comments turned off) I never had issues with comment spam by registered users.
Imo we (coppermine devs) should focus on other features instead and subsequently move this thread from the "Scheduled for cpg1.5.x" sub-board back to feature requests.

Joachim
Logged

Stramm

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 6006
Re: POST or action limit to increase security
« Reply #9 on: September 12, 2006, 07:38:58 pm »

On my gallery only registered users were allowed to comment and those behaved pretty well. Therefore even the already added comment features would be overkill for my needs.

I'd say it's a nice mod if one really needs that feature. Done with a max of 10 lines of code and a config and a lang file entry.

So I won't mind if you move the thread back to the feature requests. Don't know what the others think about it though.
Logged
my CPG sandbox: Version 1.4.18 with modpack running my Tentacle theme:
http://stramm.st.funpic.org/
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 20 queries.