FormBuilder - Optimize Default Captcha
bergwerk
Over the last few months a lot of users complained about lots of spam due to using the "form builder" addon. While a lot of new captcha solutions have been integrated by joomshaper, the "Default" option still produces LOTS of spam mails. Sadly, we have some projects where - due to legal reasons - thrid party captchas are not possible.
I digged into this issue and found out, that the Captcha Answer is integrated as a hidden field in the resulting form. The answer is hashed (md5), but as long as standard numbers are used an attacker can easily find out, what the answer is: By simply comparing the hash values of common answers.
For example, the captcha Answer in the following form is "7", which can be easily determined by reverse-engenieering the MD5-Hash.
....
<input type="hidden" name="captcha_answer" value="8f14e45fceea167a5a36dedd4bea2543">
<input type="hidden" name="captcha_type" value="default">
<div class="sppb-form-check">
....I'm honestly baffled that seemingly no one has determined the core of the problem and the solution was to implement multiple other third party captcha services.
The solution is rather simple - Just use some kind of dynamic salt before hashing the captcha_answer in line 314 and 599 of addons/formbuilder/site.php
Would be great if this can be fixed!
Thanks!
Toufiq
Accepted AnswerHi there,
Thank you for reaching out. Did you check the latest update rate limit function?
https://www.joomshaper.com/documentation/sp-page-builder/form-builder/#enable-rate-limit
Best regards,
Toufiqur Rahman (Team Lead, Support)
bergwerk
Accepted AnswerHi Tourfiq,
actually no - i have not seen this new function yet, but it also seems to be just a workaround for the current problem. Since this new function relies on using the Session object this can easily be manipulated as well (an attacker just has to ommit the session cookie).
best regards!
bergwerk
Accepted AnswerHi Tourfiq,
just activated this function with the following settings:
Max Requests: 1 Time Window: 3600
Published the page 5 Minutes ago and i already have 7 Spam Mails in my Inbox :-) So as expected, the attacker does not keep the session alive (which makes sense of course!)
best regards!
bergwerk
Accepted AnswerHi Tourfiq,
as expected, this does not change the rate of the spam mails at all.
thanks!
Toufiq
Accepted AnswerCould you kindly grant me access to your Joomla administrator area so that I can investigate the issue you're experiencing? Prior to providing access, please ensure that you have backed up your site. Additionally, it's important to note that providing login credentials is entirely voluntary on your part; we respect your decision either way. However, if you do choose to share the login details, it would greatly expedite the resolution process. Thank you for your cooperation.
bergwerk
Accepted AnswerHi Toufiq,
thanks for your offer, i can mange myself by setting a captcha_answer that is complicated enough so that a bruteforcing via md5 hash is not possible.
However, my goal was to show a possibility how to improve the Form Builder Addon, and i think this could be done with a few lines of additional code and a lot of users will benefit from this change.
Please forward to your developers - I hope, they might know what to do?
Best regards!