Spam in contact form with CAPTCHA turned on

Comments

• admin

  December 2011 edited 10:35PM

  I think line 315 on the blog controller could probably include an additional check since both the $_POST and the $_COOKIE for the session could probably be faked by a bot. Would you mind testing the following out on your end to see if it helps fix your issue:
  
  At the bottom of the fuel/modules/blog/controllers/blog.php controller file, add the following:
  function _get_encryption($word) { $captcha_md5 = md5(strtoupper($word).$this->config->item('encryption_key')); return $captcha_md5; }
  
  Around line 479, change to the following 2 lines:
  $captcha_md5 = $this->_get_encryption($captcha['word']); $this->session->set_userdata('comment_captcha', $captcha_md5);
  
  Then change the _is_valid_captcha method to the followign:
  function _is_valid_captcha() { $valid = TRUE; // check captcha if (is_true_val($this->fuel_blog->settings('use_captchas'))) { if (!$this->input->post('captcha')) { $valid = FALSE; } else if (!is_string($this->input->post('captcha'))) { $valid = FALSE; } else { $post_captcha_md5 = $this->_get_encryption($this->input->post('captcha')); $session_captcha_md5 = $this->session->userdata('comment_captcha'); if ($post_captcha_md5 != $session_captcha_md5) { $valid = FALSE; } } } return $valid; }
  Lastly, change your "encryption_key" in the main config file to something else.
  
  If you find that the above fix does work for you, let me know and I'll post the fix to the repo.
  
  If that doesn't work, we may want to look at changing the "captcha" settings in the blog config which get applied to the fuel/modules/blog/libraries/Captcha.php class directly (so there are additional parameters not set that you can use like "char_length").
• Tallowman

  December 2011 edited 10:35PM

  Thanks. Have switched form off for now as won't get a chance to look at it until this weekend, but will take the above on board then and give that a go.
  
  Cheers