Support ⇒ Troubleshootings :: Archives ⇒ drop-dead, gotta-have, non-negotiable, dealbreaker feature :: Archived ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexTroubleshootings

Archived ⇒ drop-dead, gotta-have, non-negotiable, dealbreaker feature


Confused by what I'm reading here, I just dug through the code.

Although the DragonflyCMS CAPTCHA (er, "Security Code") is "spiffy" enough to assign a "security code background image" based on the currently active theme...

...it can only be toggled on/off for these forms ???
Administrator login
Member login
Member registration

Ouch! The admin should be able to invoke the check *ANY* place in the app where user input is collected! Especially for "guest" forum posts -- c'mon that ought to be a given.

Even if the gfxchk stuff isn't encapsulated into a class (so that modules can make use of the functionality!), the devs ought to make sure the "core" userdata entry points exposed to guests are covered.

Sigh.
CAPTCHA security also seems to be missing from the "pro" ForumsPro add-on. How "PRO" is that??? (I hope it's in there and I just didn't see it, but I don't think so)

So, based on what I see (er, *don't* see) throughout the forums, I'm forbidden to reply by including a code snippet which would provide the missing protection for posting.php, because "hacking" a core file would constitute a license violation?
???

Devs:
This is a drop-dead, gotta-have, non-negotiable, dealbreaker feature. Until this "spambot vulnerability" is addressed, I would feel totally irresponsible recommending use of DragonflyCMS to clients.

Without CAPTCHA, you're not distributing a "security-focused" app. What you're currently distributing is an app containing unprotected webforms installed to "known" paths -- prime spambot bait!

ps:
I tried, *really* tried to draft this post in an "encouraging" tone, but the best I could manage was to (hopefully) get my point across without seeming disrespectful. Overall, I do appreciate that the devs have carefully, meticulously crafted the code for this app, but this glaring security-related omission needs to be addressed immediately. Every day, around the world, the same sad fact -- it is "stuff like this" that get people's webhosting accounts suspended or finds them booted from their webhost altogether.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
DragonflyCMS version 9.1.1.0


It's been added to the Contact form recently, but I don't think it's there in forums or Forumspro guest posting, which I agree would be a good feature, though I don't recall anyone asking for it before... (but I could be wrong) Most forums don't have much of a need to have posting turned on for guests.

So, based on what I see (er, *don't* see) throughout the forums, I'm forbidden to reply by including a code snippet which would provide the missing protection for posting.php, because "hacking" a core file would constitute a license violation?


What? I'm really curious, where do you get this idea? It's GPL and we all post hacks all the time. Sometimes they get added to the core.

Diagon Alley - Top Design

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.37/4.1.21-standard/4.4.4/9.1.1


"be addressed immediately" == "only registered users can post"

also the following its a huge lie:
"it is "stuff like this" that get people's webhosting accounts suspended or finds them booted from their webhost altogether."

I dont really see where "drop-dead, gotta-have, non-negotiable, dealbreaker feature." and the needs to "be addressed immediately" are since it is already included in ALL submission forms thats really needs to ... if have not been included is because that submission form does have the guests/registered users switch like forums post.

By the way (off topic) I'm still waiting for the URL to deleted cvs files and sometimes i love to be sarcastic: since you "would feel totally irresponsible recommending use of DragonflyCMS to clients." and in the case that your clients are like you .... please don't recommend us!

Last thing ... "captcha" in general are a problem for blind and color blind people this is why we have included the audio captcha facility (not active yet) ... but remember that even with or without audio some not-lucky people will have HUGE problems! Next time think properly before you ask to build higher wall for those people.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


NanoCaiordo wrote
the following its a huge lie:
"it is "stuff like this" that get people's webhosting accounts suspended or finds them booted from their webhost altogether."


Okay, since you're convinced that's a lie, my further reply on the matter would be a wasted effort.

have not been included is because that submission form does have the guests/registered users switch like forums post.


Yep, just like the head-in-the-sand "webguru" reply in another current thread, as though it's not the responsibility of login() to redirect back to the referring page. Sheesh.

Too often, when users come to you with an unmet need regarding app functionality, your posts reflect a position of "you'll eat what's on your plate and you'll LIKE it".

In this thread your tone seems to be conveying that if an admin wants to open a particular subforum to guest posting, and have it protected by captcha... too bad. Want to add an e-cards module down the road? Security is your problem, not the core. I'm reiterating the point that it's silly (irresponsible) to have the security_code present, yet unavailable for use in, ContactUs and tell-a-friend and any other webform in use (-or- in future use). But, clearly, you don't get it, you're not hearing it.

and in the case that your clients are like you .... please don't recommend us!


Aye-aye! Loud and clear.
Over and out.

Next time think properly before you ask to build higher wall for those people.


Yeah, options == walls
That fits perfectly with the other "logic" I'm hearing here.

With kudos for your commitment to, and passion for this project, I realize that I'm not going to fit well here in your "walled garden". I won't trouble you further. Adieu, and right back at ya:
Next time think properly before you ask to build higher wall for those people.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
DragonflyCMS version 9.1.1.0


bart2 wrote
it's not the responsibility of login() to redirect back to the referring page.

It does already redirect pass me the link where the issue is posted and I'll have a look .. it might be possible that there is a bug somewhere.

bart2 wrote

Too often, when users come to you with an unmet need regarding app functionality, your posts reflect a position of "you'll eat what's on your plate and you'll LIKE it".

If you ask as "addressed immediately" for a not high priority security hole thats what you get everywhere.

bart2 wrote
In this thread your tone seems to be conveying that if an admin wants to open a particular subforum to guest posting, and have it protected by captcha... too bad.
I might express my self badly then. My reply its not a "no" but it is a "no today".

bart2 wrote
I'm reiterating the point that it's silly (irresponsible) to have the security_code present, yet unavailable for use in
Is not the only cool thing not fully used, we got any other nice options but not used yet ... the issue here is is not "eat whats on your plate and you like it" but devs time and devs number ... but again yes whats on your plate is the only thing you can eat "today' so eat it a love it and thats just common sense and nothing else.

bart2 wrote
ContactUs and tell-a-friend and any other webform in use (-or- in future use).
they will but more time i spent replying to your posts less time I've got to code.

bart2 wrote
Over and out.
I agree since you for every posts that you made you choose the "critical", "must", "address-immediately" way instead of "talk" like normal people does.

bart2 wrote
Yeah, options == walls
I really hope you will have a blind person on your family to understand what i mean. Everything is ok for you then all the others doesn't count? or something is wrong for you then everyone have to do your way? thats how you seems to think.

bart2 wrote
I realize that I'm not going to fit well here
Ok nice to meet you then ciao send me a post card when you got time.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


ContactUs


It's been added to the Contact form recently

Line 53

Diagon Alley - Top Design

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/1.3.37/4.1.21-standard/4.4.4/9.1.1


Hey bart2,

I gotta comment on what I see here. You came in here with guns blazing and then got upset when fire was returned. There's a way to talk to people that won't instigate the response you just received. It all comes down to respect. Give it and you will get it. Don't give it and you won't get it.

It would have been _so_ easy to word your post in a non-confrontational manner and we'd all be thanking you for your input rather than shaking our heads over your rudeness.

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0


If I may interject... I'd really love to see this feature implemented.

I currently run a site where I keep a one of the forums open to guest posting. I do this because the group has folks that drift in and out of contact, and generally we legitimately have people stopping by who we'd like to hear from, but for whatever reason wouldn't write if they had to stop to register (a people problem, to be sure).

As a result, the board has to be constantly policed for spam, some of it quite vile. I've had to block large IP address ranges, and doing that takes up well over 95% of my administration duties (most everything else runs hands-off just fine). The messages appear to be posted by automation, and appear to be in many cases the work of botnets (block one IP or range, delete message - only to have the exact same message reposted from a completely different IP). For non-English speaking countries, I block the entire network. For US and some English-speaking countries, I send abuse messages to the domain admins, but in all honesty, it's a very rare day I see it stop, let alone get even an automated acknowledgement. And typing up the incident and pulling logfiles and mailing them out takes time. I've gotten a lot of practice at it, so now I have a form letter I fill in and I've modified the modcp_viewip page on my themes to link directly to look up the IP WHOIS, but it still takes time and effort, and I resent having to do it. It's turned forum moderation into whack-a-mole.

Having captcha enabled for guest posting isn't a perfect solution, but it could really cut down on my administrative overhead. Having the option to use it there would, I believe, cut down on the actual incidents I have to handle manually greatly, as our group still wants to hear from its wayward members, and I'd hate to give that up because of the scumsucking spammers and irresponsible system administrators and ISPs that are letting compromised machines and networks run unchecked.

It seems like a relatively modest request, I imagine the implementation cost for the recent changes to Contact would carry over into the Forums module handily (at least for the person familiar with the mechanism and implementation, which sadly, isn't me), so putting aside prior poor choices of words and differences of opinion, I'd like to second this idea for implementation as soon as practical, please.

It is pitch black. You are likely to be eaten by a grue.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 12.04, Atom D525/Apache 2.2.22/MySQL 5.5.38/PHP 5.3.10/Dragonfly 9.4.0.0 CVS


I'd have to agree with the request, but I also agree that bart's the tone was out of place.

Though I don't consider the request a groundbreaking, stop the presses, sell your first born, steal a get away car important! The option should be added. =)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 5.5/Apache 1.3.36/Mysql 4.1.16/PHP 4.4.2/9.0.6.1 (upgraded form phpnuke 7.8)


I'll fourth the idea! I recently had to change my "public" forum to registered posting only - too much of a hassle to police the spam!

But Bart, you get what you pay for! Since you didn't shell out thousands of dollars for a commercial CMS product, you can't come in here kicking in the doors and screaming that the product MUST have this or you're outta here. From your previous posts (and this one), you've brought up some good points and really dug into the code - but do everyone a favor and take some communication classes!

Admin - Great Lakes Web Designs
Theme Designer - WebSite Guru Designs
Site Admin - Families with Food Allergies

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux 2.6.27-grsec/Apache 2.2.11/MySQL 5.0.67-community-log/PHP 5.2.8/DF 9.2.1


The security code for forums posts has not been implemented yet for one reason only.

sec code always on? then registered users and admin have to type it every time they post ... quite annoying.

sec code on for anonymous and off for users? then anonymous can register to spam your site, registration are normally free and can be done in less then 30 seconds.

Any others idea?

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


NanoCaiordo wrote
sec code on for anonymous and off for users? then anonymous can register to spam your site, registration are normally free and can be done in less then 30 seconds.

I am of this school of logic, but I am sympathetic towards admins that want anonymous people to contribute to their site.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
FreeBSD 5.5/Apache 1.3.36/Mysql 4.1.16/PHP 4.4.2/9.0.6.1 (upgraded form phpnuke 7.8)


You all are correct, the only thing you achieve with a security code for anonymous is less spam.
But less spam does make it satisfactory for a lot of people.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


But sec code on for anonymous and off for users AND on for registration - wouldn't this address it?

As others have said it wouldn't fix it, but it could reduce it - at least as far as the bots are concerned... no?

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


Depends on the kind of bot.
You can easily write a bot that submits a login or fake a login cookie.
There are even bots that can decode a CAPTCHA.
What bots still can't is decode audio easily.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

All times are UTC