|
Author
|
Message
|
|
Andre Felipe Machado
|
Tuesday 12 September 2006 4:20:52 am
Hello,
I am trying to avoid "tip a friend" abuse.
some spammers use this feature to send msg with their own spam comments.
Installed the antispam captcha extension, but where is the tip a friend template?
Thanks.
Andre Felipe
---
A Debian user never dies. Issues a last command:
shutdown -h now
http://www.techforce.com.br
|
|
Per-Espen Kindblad
|
Tuesday 12 September 2006 4:48:22 am
xx/design/standard/templates/content/tipafriend.tpl
and code:
xx/kernel/content/tipafriend.php
|
|
Andre Felipe Machado
|
Tuesday 12 September 2006 10:58:10 am
Many thanks for your hint.
Now I am still having the same problems to enable Antispam captcha as at the comments at
http://ez.no/community/contribs/datatypes/antispam
Anyone got this extension working? I have to disable the tip a friend feature of my site, because a spammer is trying to exploit it. I would like to re enable it with captcha (or another antispammer measure).
Regards.
Andre Felipe
---
A Debian user never dies. Issues a last command:
shutdown -h now
http://www.techforce.com.br
|
|
Andre Felipe Machado
|
Thursday 14 September 2006 1:32:33 pm
Hello,
The spammer managed to access the tip a friend kernel module directly and exploit it.
I had to remove the file.
The exploit ceased, as far as the logs show.
Before, he/she tried many forms of the site, even the registration.
I guess the tip a friend kernel module should be improved to avoid this kind of abuse.
Many thanks for the hints.
Regards.
Andre Felipe
---
A Debian user never dies. Issues a last command:
shutdown -h now
http://www.techforce.com.br
|
|
Claudia Kosny
|
Thursday 14 September 2006 2:21:19 pm
Hello Do you have any idea what the spammer might have done (maybe a log of the post data or so)? Claudia
|
|
Andre Felipe Machado
|
Friday 15 September 2006 4:57:28 am
Hello,
please, see
http://ez.no/bugs/view/9016
I will backup the site logs for forensics.
I already have at home pc, some of the bounced msg.
Regards.
Andre Felipe
---
A Debian user never dies. Issues a last command:
shutdown -h now
http://www.techforce.com.br
|
|
Georg Franz
|
Friday 15 September 2006 5:18:27 am
Hi, I had the same problem, reported in http://ez.no/community/bugs/spammer_is_abusing_the_tipafriend_function There is a tip how you can disable the the tip a friend function in site.ini.append
Best wishes,
Georg.
Best wishes,
Georg.
--
http://www.schicksal.com Horoskop website which uses eZ Publish since 2004
|
|
Softriva .com
|
Friday 22 September 2006 12:50:48 am
Anybody from eZ System say something about this problem. I really don't want to disable this function (Tip a Friend). I need it for a client site.
|
|
Claudia Kosny
|
Friday 22 September 2006 1:31:05 am
Hi there Here are some of my ideas about of what might be useful to deter spammers like this. Unfortunately I am not to good with preventing exploits like this so I would like to have some input on whether implementing this would help at all or not.
- Log all IP addresses of people trying to send a form for the last 5 minutes or so. If someone sends more than 2 or 3 messages in this period, display a nice apologetic error message.
- Add a javascript to the form which contains a unique variable that is set by EZ and maybe stored in the session. The Javascript executes onblur for the one of the required inputboxes and writes the value of this variable into a hidden formfield which is then posted together with the other stuff.EZ checks whether this variable was posted and is the same as in the session and deletes the corresponding session variable every time.
Problem: The form will not work without javascript (which I think is ok for tipafriend but might be a problem for other, more important forms).
- Add a captcha. This will cause problems with accessibility for vision impaired people.
- A bit more restrictive: Limit tipafriend to registered users only. Greetings from Luxembourg Claudia
|
