Twocents security

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
Tata
Posts: 3259
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Twocents security

Post by Tata » Fri Jul 17, 2020 5:28 am

In 2018 I have built a plugin repository and dropped the demo at https://cmsimple.sk/plugins-172/.
There is also the twocents plugin there at https://cmsimple.sk/plugins-172/?Plugin ... s/twocents.
This week a see a number of posts form evidently some automacally generated addresses.
e.g.:
dkddhAgisteSwipsetix@wholedaddy.online
mailto:glilgAgisteSwipsetix@willdex.online
aslkiAgisteSwipsetix@ubiquitouses.online
mailto:meqibAgisteSwipsetix@groovys.online
mailto:cxuapAgisteSwipsetix@largenex.online
etc.
The plugin could be easilly hidden behind the register or emmberspages. But it's only a demo page, so I didn't want to use any combination of plugins.
Is there any way to block some senders? E.g. to block anything containing "AgisteSwipestix" or "omline" in the address?
Or to make the removal of unwanted messages simpler, pref. directly in the plugin background?
Last edited by cmb on Fri Jul 17, 2020 7:02 am, edited 1 time in total.
Reason: fix typo in title
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 13479
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Twocents security

Post by cmb » Fri Jul 17, 2020 7:04 am

Consider to add a CAPTCHA (even the minimal built-in CAPTCHA may help). And yes, I'm aware that it's 2020, and classic CAPTCHAs are old school …
Christoph M. Becker – Plugins for CMSimple_XH

frase
Posts: 3844
Joined: Thu Apr 21, 2016 6:32 am
Location: Saxony
Contact:

Re: Twocents security

Post by frase » Fri Jul 17, 2020 7:12 am

From my own experience I can give some hope.
Such spam comments stop by themselves after one or two weeks if they are not published. :D

Tata
Posts: 3259
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: Twocents security

Post by Tata » Fri Jul 17, 2020 2:34 pm

1. I tried to install recaptcha_xh / doesn't seem to run with 1.7.2
2. adding the keys manually solved nothing / no recaptcha is visible
Any other way?
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

lck
Posts: 2268
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Fri Jul 17, 2020 5:04 pm

Tata wrote:
Fri Jul 17, 2020 2:34 pm
1. I tried to install recaptcha_xh / doesn't seem to run with 1.7.2
Sollte laufen, zumindest mit Twocents 1.0beta3 und Recaptcha_XH von bbfriend.
Tata wrote:
Fri Jul 17, 2020 2:34 pm
2. adding the keys manually solved nothing / no recaptcha is visible
Keys bei Google für die Domains hast du erstellt und in die Konfiguration von Recaptcha eingetragen und in der Konfiguration von Twocents unter "Captcha" recaptcha eingetragen?

*Nachtrag
Hinweis: Ist man eingeloggt, sieht man kein Captcha.
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

Tata
Posts: 3259
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: Twocents security

Post by Tata » Fri Jul 17, 2020 7:30 pm

lck wrote:
Fri Jul 17, 2020 5:04 pm
Sollte laufen, zumindest mit Twocents 1.0beta3 und Recaptcha_XH von bbfriend.
Genau das habe ich installiert. Die keys habe ich auch erstellt und eingetragen. Da bin ich aber nicht sicher, was ist der
[key_public] und [key_private] und was sind die site key und secret key
Ich habe alle Kombinationen versucht, aber es hat entweder in :
To use reCAPTCHA you must get an API key from https://www.google.com/recaptcha/admin/create
oder
Wrong CAPTCHA code!
resultiert.
Außerdem, sehe ich kein Captchatest ein/ausgeloggt.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

lck
Posts: 2268
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Sat Jul 18, 2020 12:44 pm

Tata wrote:
Fri Jul 17, 2020 7:30 pm
Genau das habe ich installiert. Die keys habe ich auch erstellt und eingetragen. Da bin ich aber nicht sicher, was ist der
[key_public] und [key_private] und was sind die site key und secret key
Recaptcha_XH >>> Google reCaptcha
Site key     = Websiteschlüssel
Secret key = Geheimer Schlüssel
Wrong CAPTCHA code!
Das erhätst du, wenn der "Secret key" nicht stimmt.

Bei fehlerhaftem "Site key" erscheint im Captcha (bei dir halt evtl. in englisch)
Fehlerhinweis für Inhaber der Website: Ungültiger Websiteschlüssel
Ich habe in meiner Version von bbfriend auch noch Änderungen in der admin.php gemacht, zwecks nicht sichtbarer Pluginadministration und Deprecated-Meldungen.
Zeile 51

Code: Select all

// if (!empty($recaptcha)) { // lck - FIX for Pluginadministration not shown
if (XH_wantsPluginAdministration('recaptcha')) {
Zeile 64 +65

Code: Select all

    //initvar('admin'); // lck - FIX for XH-DEPRECATED Warning
    //initvar('action'); // lck - FIX for XH-DEPRECATED Warning
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

cmb
Posts: 13479
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Twocents security

Post by cmb » Sun Jul 19, 2020 11:32 am

cmb wrote:
Fri Jul 17, 2020 7:04 am
(even the minimal built-in CAPTCHA may help)
Hmm, there is no built-in CAPTCHA in Twocents_XH (Advancedform_XH has one, though).

Eine Alternative zu Recaptcha_XH ist Cryptographp_XH 1.0beta6. Weniger elegant als Recaptcha, aber dafür kommt man ohne Registrierung und Schlüssel aus. Allerdings sollte man noch diesen Fix vornehmen.
Christoph M. Becker – Plugins for CMSimple_XH

lck
Posts: 2268
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Sun Jul 19, 2020 11:42 am

Das Problem liegt hier, die Browserconsole meldet:
Mixed Content: The page at 'https://.../' was loaded over HTTPS, but requested an insecure script 'http://www.google.com/recaptcha/api/challenge?k=...'. This request has been blocked; the content must be served over HTTPS.
Aber wie lösen, die Verbindung zu Google wird über http: aufgebaut und nicht über https: :?
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

cmb
Posts: 13479
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Twocents security

Post by cmb » Sun Jul 19, 2020 1:12 pm

lck wrote:
Sun Jul 19, 2020 11:42 am
Aber wie lösen, die Verbindung zu Google wird über http: aufgebaut und nicht über https: :?
Aber warum? In captcha.php scheint alles explizit HTTPS zu verwenden.
Christoph M. Becker – Plugins for CMSimple_XH

Post Reply