phpBB • Creating Communities Worldwide

[Atari]

The PhpBB team should *strongly* consider using the FreeCAP CAPTCHA lib. It's the best I've seen, GPL'd, and looks like it will easily stand up to the anti-CAPTCH efforts at PWNtcha.

FreeCAP is available here:
http://www.puremango.co.uk/cm_captcha_113.php


PWNTCHA is here:
http://sam.zoy.org/pwntcha


Notice that the VBulletin CAPTCHA method has been cracked (easily).


In my opinion any serious forum software should have (good) CAPTCHA integration (at least as an on/off option) for registration, contact, and search functions.


I really am looking forward to the PhpBB team integrating this... it seems like its a very well thought out CAPTCHA module.

[Atari]

You'll also notice on the PWNTCHA site that the current CAPTCHA method used by PhpBB has been cracked as well.

It was cracked by PWNTCHA a looong time ago IIRC.

Anyway, now you guys now and have been shown a free/gpl alternative...

I hope it will be included ASAP.

I'm sure I'm not the only one who views PHPBB's CAPTCHA method being cracked as a security issue.

The FreeCAP library would take care of that.

[bonelifer]

If you feel the current phpBB CAPTCHA system has been cracked then post it to the SECURITY TRACKER. http://www.phpbb.com/security/

[Atari]

Posted @ http://www.phpbb.com/security/report.php?p=468

[Atari]

If you feel the current phpBB CAPTCHA system has been cracked

Anyway.. it's not that I feel it has been cracked, it HAS been cracked.

You can see for yourself here:

http://www.pwntcha.net/test.html

They even list phpBB on that page as suggested source to find a vulnerable image to test with!

[Atari]

Vbulletins captcha routine was cracked by them (long ago) as well, unfortunately they aren't as lucky as PhpBB who can simply dump the current method & incorporate that GPL'd FreeCAP library.

[Techie-Micheal]

Last I checked on Sam's site, phpBB's image had a less probabilty of being broken than vB or some of the others ...

[starfoxtj]

Wow, it correctly guessed all the image verification files I sent to it.

How does that work? (Especially the squiggly ones)

[Daz]

Hi,

starfoxtj go and play with some OCR software and you will see how it works.

It didn't guess any of the easy ones I sent it — no prizes for working out it guessing phpBB one by its (big and easy to OCR) dimensions.

OCR fails/does badly with;

small size/low resolution
poor contrast
short angled strings — long ones it will de-skew automatically.
Sans-serif (and obviously graffiti type) fonts.
patterned backgrounds that confuse it into thinking it might be text — a pattern made up of letters would be good to use.
Mixed line art and text.

As well as using colour to present a low contrast (for those programs converting images to grayscale) you could also use multiple images.

[NeoThermic]

A few days ago there was a question asked on editing the secuirty image; In the topic I also gave a copy of the code I'm using:
http://www.phpbb.com/phpBB/viewtopic.php?t=337628

You might find it helpful..

NeoThermic

[Techie-Micheal]

Interesting.

http://www.pwntcha.net/test.html?file=2 ... Qqqkk.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... qieTi.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... kxFzb.jpeg
Failed.

And on and on and on.

[Atari]

A few days ago there was a question asked on editing the secuirty image; In the topic I also gave a copy of the code I'm using:
http://www.phpbb.com/phpBB/viewtopic.php?t=337628

You might find it helpful..

NeoThermic

Nice!

Yours is a little hard to read at times, but it's better than something that is so easily cracked with OCR.

Did you check out that FreeCAP lib? I guess it has routines for anti-brute force attempts, 3 different background image routines, multiple fonts etc.

Any chance that you could integrate that into phpbb?

[Atari]

Interesting.

http://www.pwntcha.net/test.html?file=2 ... Qqqkk.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... qieTi.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... kxFzb.jpeg
Failed.

And on and on and on.

Are these tweaks that you are playing with now?

Keep in mind, just because it doesn't crack them right now doesn't mean that they aren't easily crackable by him after he (or someone malicious) has written a routine to deal with that (new) type of captcha.

Example: http://www.pwntcha.net/test.html?file=2 ... qieTi.jpeg

Upside down and backwards from the easily crackable original isn't going to cut it. It would be just as easy to crack as the original method.

[Techie-Micheal]

Interesting.

http://www.pwntcha.net/test.html?file=2 ... Qqqkk.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... qieTi.jpeg
Failed.
http://www.pwntcha.net/test.html?file=2 ... kxFzb.jpeg
Failed.

And on and on and on.

Are these tweaks that you are playing with now?

Keep in mind, just because it doesn't crack them right now doesn't mean that they aren't easily crackable by him after he (or someone malicious) has written a routine to deal with that (new) type of captcha.

Example: http://www.pwntcha.net/test.html?file=2 ... qieTi.jpeg

Upside down and backwards from the easily crackable original isn't going to cut it. It would be just as easy to crack as the original method.

Not mine, no. I'll play around with some code later.

[Graham]

It is worth noting that the current image verification code is designed to work without requiring additional modules (such as GD) to be available on the server which anything to do any form of rotation and so on will do so.

This will not be changing for the 2.0.x line of the software without a very good reason.