CustomImgCaptcha: Spam Combat 2.4.1

CustomImgCaptcha: Spam Combat 2.4.1 2.4.1

No permission to download
Overview Updates (31) Reviews (17) History Discussion
tenants said:
This url "domain/data/customimagecaptcha/img.php?public_uuid=(random number)" should no longer exist... which means some how you're using an old part of the code ( possibly the wrong XML, or older template. So I've either exported it with the old XML or you're some how using an older version)

The URL now points to somethink like this
src="{xen:link 'cic-img', '', 'public_uuid={$entry.public_uuid}'}"
which returns
domain/index.php?cic-img&public_uuid=(random number)

Edit: The XML in the zip looks like the correct version, so maybe your template is out of date

If they appear fine in the ACP, but not in the registration page, then the XML must be fine, but for some reason the template has not updated

The customimgcaptcha_captcha template should say this:

Code: 
                    <dd>
                        <div style="" id="custom_img_captcha">
                            <div class="textCtrl" id="custom_img_captcha_image" style="width: {$width}px; height: {$height}px;">
                                <img width="{$width}" height="{$height}" src="{xen:helper public-cic-img, $public_uuid}">
                            </div>
                            <div class="ddText">
                                <label for="custom_img_captcha_response_field">{xen:phrase sf_answer_the_above_question}:</label>
                            </div>
                            <span id="public_uuid_holder" style="display: none;">
                                <input type="hidden" value="{$public_uuid}" id="public_uuid" name="public_uuid">
                            </span>
                            <input type="text" class="textCtrl OptOut" id="custom_img_captcha_response_field" name="custom_img_captcha_response_field" autocomplete="off">
                            <p class="explain">
                                (<a href="http://xenforo.com/community/resources/customimgcaptcha.1161/">CustomImgCaptcha</a> By <a href="http://www.surreyforum.co.uk/">Surrey Forum</a>)
                            </p>
                        </div>
                    </dd>

note, this line in particular:
src="{xen:helper public-cic-img, $public_uuid}"

I think templates won't automatically update if they've been modified at all. But you should have the option to update out-of -date templates
Click to expand...
reverts the template and it works fine now :)
Thanks you
 
tenants updated CustomImgCaptcha: Spam Combat with a new update entry:

CustomImgCaptcha - 320,000 versions of each of your images

  • For every custom image you upload, 320,000 different possible versions are available to be shown to the user, making a binary comparison harder
One of the ways CustomImgCaptcha could be beaten is by the user downloading each of your images and associating the answer to the image (similar to how qa was beaten). These image:answers could then be stored in a central database. Then using a binary comparison to the image:image in database, the image answer could be solved (This would be costly, since images take up space)

.. now this would be much harder, for every single custom image you use, there are now 320,000 different versions shown to the user, all varying quality, smoothness, contrast, brightness. This makes a binary comparison much harder

The images them selves are still good enough quality for the user to identify..
Click to expand...

Read the rest of this update entry...
 
tenants updated CustomImgCaptcha: Spam Combat with a new update entry:

CustomImgCaptcha - Visiting Old Public UUIDs Images (inactive) no longer throws an error

I'm using a form that is heavily spam active (due to the niche and age). One of the great things about this (for me) is that I encounter all sorts of direct attempts to bypass anti spam mechanisms. One of the methods they have attempted is to use old direct links to images for comparison (I've already prevented this type of binary comparison by creating >300k version per image and the public uuid link being invalid after 24 hours). Due to the number of versions of images, they fail at beating the system, but unwittingly provoke a server error.

So the minor issue is: If a user uses a deactivated public uuid, it throws an error in the server error logs (normal users wont ever see this, but those attempting to automate and bypass the Captcha.. and failing, will)
-- This error is now handled, instead of the attacker producing an error, they get returned a blank image
Click to expand...

Read the rest of this update entry...
 
tenants updated CustomImgCaptcha: Spam Combat with a new update entry:

CustomImgCaptcha - Fix for rare error

Some bots seem to attempt to insert images in the users answer field (why, I'm not really sure). When logging this data, it can cause a server error, since the column is utf8, and the DataWriter sends a string that contains binary (which throws a server error). I now sanitise the user answer before sending it to the XenForo DataWriter.
Click to expand...

Read the rest of this update entry...
 
Just of confirm that after update (from one with previous folder structure), it is safe to delete:
library/CustomImgCaptcha
and
data/customimgcaptcha

Right?
 
Yes, the data/customimgcaptcha is no longer needed and the structure is now:
library/Tac/CustomImgCaptcha

so you can delete
  • library/CustomImgCaptcha
  • data/customimgcaptcha
 
I will create image for CustomImgCaptcha, then where should I export images to ACP or roots? .....I see only
CustomImgCaptcha Logs available from Tools in ACP?

I spend time heavily to find some tools in order to block massive bots!! I created Q&A, XenUtilites, TAC Anti-Spam, Timer, UserGroup, etc, is this enough ? is it safe to post here of Q&A to see your opinions if they are tough or weak?

 
Yes, right sir. I click ACP > Options > User Registration > Enable CAPTCHA for Guests > Use CustomImgCaptcha (Add your custom images first).

The images is already there in the folder, why it says to add custom images first?
 
On 1.2 Beta 3 I cannot upload any images and have them display. They all show a broken link. The shipped version of images show fine.
Debian 7.0
PHP 5.4.17
NGINX
APC
 
Last edited:
Thanks, I'll look into this... the update looks like it's really broken the images

Am I imagining it? but it still seem to work from the front end (actual CAPTCHA)

I can see that the images get upload, so that's good
They are just not displaying in the ACP

There doesn't seem to have been any changes to
XenForo_ControllerAdmin_Attachment
or
XenForo_ViewPublic_Attachment_View

So, I'm scratching my head, but looking into this
 
Last edited:
Check your content_type/content_type_field records. They are likely not associated with the add-on correctly.
 
These aren't attachments, they are image files uploaded to the database (In this case, database images are more appropriate)
There are no handlers (no alerts, likes, reports etc) so no content type was needed, I'm simply splatting the image out with:

Public:

Code: 
        $private_uuid= $this->_input->filterSingle('private_uuid', XenForo_Input::STRING);
        $params = array
        (
            'private_uuid' => $private_uuid,
        );
        $this->_routeMatch->setResponseType('raw');
        return $this->responseView('Tac_CustomImgCaptcha_ViewPublic_CicImg_View', '', $params);

View:

Code: 
        $CicImg = $captchaModel->getCaptchaByUUID($private_uuid);
        $extension = XenForo_Helper_File::getFileExtension($CicImg['file_name']);
        $imageTypes = array(
            'gif' => 'image/gif', 'jpg' => 'image/jpeg', 'jpeg' => 'image/jpeg', 'jpe' => 'image/jpeg', 'png' => 'image/png'
        );
 
        if (in_array($extension, array_keys($imageTypes)))
        {
            $this->_response->setHeader('Content-type', $imageTypes[$extension], true); // issue is here
        }
        else
        {
            $this->_response->setHeader('Content-type', 'application/octet-stream', true);
        }
        $this->_response->setHeader('ETag', $CicImg['insert_time'], true);
        $this->_response->setHeader('X-Content-Type-Options', 'nosniff');
        return $CicImg['img'];

It seems like I can't just set the response header now, although core attachments still use this method

It gives the same sort of error as if something has already been added before the header (setHeader is not the first thing added now in this case ? ...)
 
Last edited:
actually no, the above is fine, it's the "playing around" with the image that has caused this (adding variations of IMG_FILTER_BRIGHTNESS, IMG_FILTER_CONTRAST, IMG_FILTER_SMOOTH)


Ah ha

I do an imagecreatefromstring (to manipulate variations of the image) and then don't convert back to string (I'm not sure why this wasn't an issue pre 1.2)
 
Last edited:
just noticed a missing phrase when uploading your own image

upload_file_from_your_computer

Also, I've added 2 custom images, both using the default 300 x 200 dimensions, and both images are breaking out of the container box
image.webp
 
It's the changes made to 1.2 that makes it look like this:
.xenForm .ctrlUnit > dd .textCtrl { -moz-box-sizing: border-box;}

It's not an issue pre 1.2:
http://localtutor.co.uk/misc/contact

That's annoying, I don't want to keep on changing these things each upgrade.

The phrase isn't so bad, since it's not user facing, I'll look at fixing this now
 
Last edited:
You must log in or register to reply here.
Top Bottom