PhpBB: easy to spam?

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Daan Vanheel
Registered User
Posts: 4
Joined: Tue Jun 24, 2003 5:02 pm

PhpBB: easy to spam?

Post by Daan Vanheel »

Let me first tell you a story: I'm on a message board run by Vbulletin, and me and my friend discovered a hidden forum... after posting a little while, we found out we could post anything we wanted there, and nobody would see it (it wasn't even in our latest posts, etc.). I got bored with the fact that there was a 30 second spam protection, and it took me a while to get more posts.
So I started writing a little script that had a variable with some text in it, scrambled the text to make some random crap out of those words, put it into a form with the exact names of the forms for posting replies in Vbulletin. I was surprised to see that it actually worked. After some more scripting (this is all basic PHP) I found a way to automaticly send the forms when the page loads, and refresh it after 30 seconds to post another post 'o crap.
All good and well, but I'm not a spammer: I was more excited about the fact that it works rather than the fact that I could get more posts.
Then I came on a messageboard that has PHPBB2, and I decided to test it out. All I had to do was change some variables names and voila, a spam machine for PHPBB2.
What I'm trying to say is.. this isn't very thoughtful and I was shocked there wasn't protection for this in PHPBB, nor VBulletin. Anybody, even me, can make a spam page for any forum.
This can be avoided easily, just by checking the referer page on the posting.php page.

If you want I can give you the script.. but I don't feel that it's necesary, nor safe to display it on these boards.

Thanks for your time,
Daan Vanheel

edit: don't get me wrong, I'm not using this for bad (spamming). I just wanted to test if it worked

niekas
Registered User
Posts: 562
Joined: Sun Sep 23, 2001 7:34 am

Post by niekas »

checking HTTP-REFERRER is not a perfect solution at all - your spam script can be easily modified to spoof that.

and remember some people have all kind of privacy applications on their computer and quite a few of them block HTTP-REFERRER from being passed back to the script.

Daan Vanheel
Registered User
Posts: 4
Joined: Tue Jun 24, 2003 5:02 pm

Post by Daan Vanheel »

well it's better than nothing and it can be a good temporary solution.

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

That's because there isn't really a valid long-term solution. That's why there's such a thing as a ban.
As a side note, just think how easy it is to spam an email address...

Daan Vanheel
Registered User
Posts: 4
Joined: Tue Jun 24, 2003 5:02 pm

Post by Daan Vanheel »

I believe some genious scripter must be able to think of something.
Although most genious scripters are on the "dark side" :mrgreen:

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

The genius scripter that wrote phpBB has already thought this through many many times. ;)
phpBB 2.2 will have greated user management controls too.

ShadowLord
Registered User
Posts: 43
Joined: Tue Jan 06, 2004 12:10 pm
Location: Melbourne, Australia
Contact:

Post by ShadowLord »

Cant wait till 2.2 gets more stable in the cvs, im anxious in making a mod or two on it lol. Will the updated version have a message delay timer so you cant periodicly spam topics?

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

phpBB already has a message delay timer.

ShadowLord
Registered User
Posts: 43
Joined: Tue Jan 06, 2004 12:10 pm
Location: Melbourne, Australia
Contact:

Post by ShadowLord »

It does? Never noticed, probably because im on a very slow dial up connection :lol:

yoshi15
Registered User
Posts: 281
Joined: Wed Feb 19, 2003 12:40 am
Location: New Jersey
Contact:

Post by yoshi15 »

ShadowLord wrote: It does? Never noticed, probably because im on a very slow dial up connection :lol:


Probably becuase the default amount is 15 seconds.
Im not support! Dont PM or email me for questions & answers on phpBB. Im not on the staff in the first place.

andrew johnson
Registered User
Posts: 261
Joined: Mon Jun 09, 2003 3:30 pm
Location: derbyshire

Post by andrew johnson »

if change to 60 secs that will prevent spamming :)
no support via PM or e-mails please
http://www.phpbb.com/phpBB/viewtopic.php?t=128123

Daan Vanheel
Registered User
Posts: 4
Joined: Tue Jun 24, 2003 5:02 pm

Post by Daan Vanheel »

well then just change the refresh time on my script to 60 seconds and there ya go.. some more spamming...

User avatar
Draegonis
Former Team Member
Posts: 3950
Joined: Mon Apr 22, 2002 3:12 pm
Location: Kµlt øƒ Ø
Contact:

Post by Draegonis »

andrew johnson wrote: if change to 60 secs that will prevent spamming :)


Not quite, as noted by the topic starter. It will, however, certinally help reduce spam on smaller boards, but is not reccomended on larger boards, as it would surley drive your members to their wit's end.

Darth Wong
Registered User
Posts: 2398
Joined: Wed Jul 03, 2002 5:20 am
Location: Toronto, Canada
Contact:

Post by Darth Wong »

There's no really automatic way to block spammers, because it's hard for software to distinguish between a spammer and a guy who just posts a lot.

The only workable solution is to ban people who spam, and if they're really stubborn, switch to admin-approved registrations in order to make it more of a pain in the nuts for them to get back in.
Not a three-foot tall green gnome in real-life: My home page.
My wretched hive of scum and villainy: http://bbs.stardestroyer.net/

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Post by Techie-Micheal »

Darth Wong wrote: There's no really automatic way to block spammers, because it's hard for software to distinguish between a spammer and a guy who just posts a lot.

The only workable solution is to ban people who spam, and if they're really stubborn, switch to admin-approved registrations in order to make it more of a pain in the nuts for them to get back in.
I can think of a couple of ways, but they are overkill. I can't go into a whole lot of details because I haven't worked out everything yet. :P

One way is to detect someone requesting say posting.php every 10 seconds, then send a RST packet. But as you said, that could lead to a lot of false positives. Another way might be to look for known signatures, and reset the connections for those. Like I said, overkill, but in theory it could work. Again, this one is riddled with problems as well. The signatures can be easily spoofed.
Proven Offensive Security Expertise. OSCP - GXPN

Locked

Return to “2.0.x Discussion”