Captcha using TTF & GD

[a_berezin]

Although the CAPTCHA image generated by this mod is of high quality and far less prone to getting "found out by bots", it is also sometimes difficult for a human to identify one or more of the image characters (due to a character getting cut off out on the edge or due to overlapping characters).

1. You can use other, more readable ttf-fonts, such as Verdana.
2. You can set chars maximum size in admin.

I wanted to ask: Does anyone running Zen Cart (1.37 or previous) without CAPTCHA have an issue with bot registrations?

Yes.

[megaman]

I am using zencart for a project.
The goals were to use a CMS and then make attacks on the others.

I putted CAPTCHA only in registration's form.

I got about 10000 reviews in one night, and the attacker was friendly because he told me that he was doing this. He used some extentions for firefox, so nobody can do it.

By the way, I had to create a php script to remove the reviews, nothing in the admin panel allows to remove mass messsages in one time :/

And another attack was in the "tell a friend".
The emails aren't check, nobody can put "FROM email" = "email of your e-commerce" or "TO email" = "email of your e-commerce". That means that, without CAPTCHA again, nobody can autospam you just by repeating one HTTP message. Worst, there is no limit to the message the user can put.

I will make a big review at the end of this project :)

[Woodymon]

Thanks Andrew and Megaman for the info.

As Andrew is aware, I installed the mod on my test shop on dev server (with many mods installed) and the CAPTCHA image would not display.

So I installed mod on my dev server on a fresh ZC 1.37 install (on local network) and the CAPTCHA image still does not display.

I tried changing from default png to jpeg in the class file and still no display.

Thinking that I might have corrupted fonts so re-uploaded the three supplied font files in FTP Binary mode. I don't know how to test if TTF's are corrupted or not.

Or maybe the fonts list is not getting read properly?

Any special GD or PHP version requirements or custom path settings or special server configuration needed for the CAPTCHA image display to work?

I can see in the HTML source (both Firefox and IE6) the mod is attempting to do it's job.

Code:

<fieldset>
<legend>Verification code:</legend>
<img id="captimg" src="captcha_img.php?0.690452001173098496" alt="" width="240" height="50" />
<input type="image" src="{path to my redraw button edited}" alt="Redraw Capture Image" title=" Redraw Capture Image " onclick="document.getElementById('captimg').src='captcha_img.php?'+Math.random();return false;"  />
<br class="clearBoth" />
<label for="captcha">Verification code:</label>
<input type="text" name="captcha" id="captcha" />&nbsp;
<span class="alert">* (case insensitive)</span>
<br class="clearBoth" />
</fieldset>

Any other ideas? Thanks.

Woody

[a_berezin]

v 2.2 15.03.2007 16:12
1. Use zen_href_link to generate img address;
2. Add Review Write page support (Thanks to Mega Man);
3. Add french language (Thanks to Mega Man).

[a_berezin]

Woody!
Try last version.

[Woodymon]

Woody!
Try last version.

Thanks Andrew ... but after updating to 2.2 CAPTCHA image still does not display. :sad:

I'm out of ideas to fix my problem. I'm sure it is a simple fix.

Thanks for adding option to change image type in admin and thanks for the new font

Also regarding write reviews support, after SQL patch I indeed see new "write review" option in Config > CAPTCHA.

But CAPTCHA form does not show up on Product reviews write pages.

So I think need to edit/upload:
/includes/modules/pages/product_reviews_write/header_php.php
-AND- /includes/templates/your_template/templates/tpl_product_reviews_write_default.php

Woody

[Woodymon]

Also regarding write reviews support, after SQL patch I indeed see new "write review" option in Config > CAPTCHA. But CAPTCHA form does not show up on Product reviews write pages.

So I think need to edit/upload:
/includes/modules/pages/product_reviews_write/header_php.php
-AND-
/includes/templates/your_template/templates/tpl_product_reviews_write_default.php

On second thought I discovered write reviews structure is different from contact us and tell a friend. Thus I couldn't pinpoint the location in header file and how error checking/validation occurs on the write reviews form. Is the above header_php.php file correct, and is so how to edit to support CAPTCHA?

INSERT (somewhere):

Code:

// BOF Captcha
if(CAPTCHA_REVIEWS_WRITE != 'false') {
	require(DIR_WS_CLASSES . 'captcha.php');
	$captcha = new captcha();
}
// EOF Captcha

INSERT (somewhere else):

Code:

// BOF Captcha
  if (is_object($captcha) && !$captcha->validateCaptchaCode()) {
    $error = true;
    $messageStack->add('friend', ERROR_CAPTCHA);
  }
// EOF Captcha

[megaman]

I just downloaded the new version but in fact some important files are missing for the support of the "Write Reviews" pages
:)

I will mail a_berezin to tell him.

[a_berezin]

Fixed................

[Woodymon]

UPDATE:

I see in web server error log:

Code:

[error] PHP Fatal error:  imagepng() [<a href='function.imagepng'>function.imagepng</a>]: gd-png:  fatal libpng error: zlib error in /home/my_account/public_html/my_shop/includes/classes/captcha.php on line 214

The segment of relevant code from the class file:

Code:

if($this->img_type == 'png') {
	imagepng($this->img, '', (int)$this->quality);
} elseif($this->img_type == 'gif') {
	imagegif($this->img, '');
} else {
	imagejpeg($this->img, '', (int)$this->quality);
}

So for testing I changed image type (Config > Captcha) from png to jpeg and try again... but image still does not display in browser. However this time different message in error log:

Code:

client denied by server configuration: /home/my_account/public_html/my_shop/includes/templates/my_template/images/index.php

Does this last error indicate a possible htaccess mod-security issue?

How to change to gif? Config > CAPTCHA in the admin provides png and jpeg options but don't see how to set gif image type.

Woody