[oriolhernan]

Hi,

I want to share with you a possible solution to stop users bypassing the registration and catcha because the Pycurl vulnerability and then they bypass the registration. It's easy to detect this users because they have a mail like blank@blank.com, It means that the email is false. I have users registrering with blank email with the email confirmation! and it's a... ****.

I am running Pligg for 7 weeks at Art News and for the last three weeks I'm free of spam from blank@blank.com users. I don't know if it works ok, but for now the solution works in my site.

I am running pligg 9.9 SEO Edition from Social CMS Buzz - Pligg, Drigg, News, Modules, Templates and Hacks but I think that this could work at all versions.

At /libs:
user.php
function Create(){
global $db, $main_smarty,$the_template;

if($this->username == ''){return false;}
if($this->pass == ''){return false;}
if($this->email == ''){return false;}

add the line: if($this->email == ("blank@blank.com")){return false;}

utils.php

function check_email_address($email) {
//from Email Address Validation - PHP - ILoveJackDaniels.com
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}

then, add:
if ($email == ("blank@blank.com") ) {
return false;
}

login.php

function UserAuth() {
global $db, $cached_users;

if(isset($_COOKIE['mnm_user']) && isset($_COOKIE['mnm_key']) && $_COOKIE['mnm_user'] !== '') {
// Si ya está autentificado de antes, rellenamos la estructura.
$userInfo=explode(":", base64_decode($_REQUEST['mnm_key']));
if(crypt($userInfo[0], 22)===$userInfo[1]
&& $_COOKIE['mnm_user'] === $userInfo[0]) {
$dbusername = $db->escape($_COOKIE['mnm_user']);

$dbuser = $db->get_row("SELECT * FROM " . table_users . " WHERE user_login = '$dbusername'");
$cached_users[$dbuser->user_id] = $dbuser;

if($dbuser->user_id > 0 && md5($dbuser->user_pass)==$userInfo[2]) {
$this->user_id = $dbuser->user_id;
$this->user_level = $dbuser->user_level;
$this->user_login = $userInfo[0];
$this->md5_pass = $userInfo[2];
add here:
if ($dbuser->user_email != "blank@blank.com"){
$this->user_email = $dbuser->user_email;
$this->authenticated = TRUE;
}

At root

register.php
look for the function register_check_errors and add:

if($email == "blank@blank.com") { // if email is not valid
$form_email_error[] = $main_smarty->get_config_vars('PLIGG_Visual_Register_Error_BadE mail');
$error = true;
}


The real solution is modify the register.php to prevent users register, like user.php. I don't know if utils.php modification is necessary, I have created it because I don't know wich steps bypass the spammers with this vulnerability. The login.php prevents the user with a blank mail to log in our pligg site.

I hope that this will make our pligg sites to work with less spammers. And reply this post with your experiences. If it doesn't work I have other possible solutions but for now it works in my site. I have to say that my pligg site doesn't have so much traffic, almost none!

If anyone wants to tell me thanks, I want to make the askimet work ok... The Akismet Management page don't let me to chose between the options "confirm as spam" "is not spam" because the links don't work

Or link/recommend my site! Allpaintings Art Portal


Oriol Hernan
Allpaintings Art Portal

[dollars5]

Good one - but be informed that they will just start using blank1@blank1.com - which will pass through all your checks

[oriolhernan]

Also it's possible to block any email with "black" at utils.php
When you have the email array, you can scan it and compare with the letters "blank". I didn't know that now they are using other emails.

I don't understand why the email is blank@.. if someone can tell it a fix will be more easier to be found. But for now, this modifications could fix the 99% of the spam attacks of blank emails.

I have to explore the email confirmation registration because I don't understand why the spammers can omit the confirmation email.

Code of utils.php that could be modificated for explore the word black at the email.

// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}