dapphp / securimage Goto Github PK

It is not working when two users comes in the same time from one IP.

It should have ability to manage the session object in some cases. e.g

$secureImage = new Securimage(array('session_object' => $sessionObject));

if the session_object is not provided then it will use $_SESSION.

By doing this way it's easier to mock that object for testing also.

To ensure the passed session object (or storage object) is valid, you can write an interface for it :)

I got some problems get securimage working in combination with a load balancer. Normal session validation only works by writing them to database. And $_SERVER['REMOTE_ADDR'], which is used as identifier in db also doesn't return the endusers ip, but one of the loadbalancing server. So, captcha code validates only each x times, hitting the right server..
Quick and easy solution for me was to enable db storage, disable session storage, but do an initial session_start() and then replace each $_SERVER['REMOTE_ADDR'] with session_id() in securimage.php

I have securimage on dozens of websites, which has worked well for a long time, but in the past week, many are getting tons of spam. I have tried increasing the number of lines, upped the perturbation, switched a couple to use the math problem, but the spam continues.

Any suggestions on other tweaks to stymie the bots?

hi, thank you for this project
it is very useful.
please register this project on packagist.org

If an error is supressed using @ a call to error_get_last() still returns an error, but we have no way of knowing if it was suppressed or not. May need to implement custom PHP error handler for audio and captcha generation to reliably know which errors to ignore.

Hi,
I'm experiencing some trouble with your github repository.

When I try to add it as submodule to my project, I get the following error:

git submodule add https://github.com/dapphp/securimage.git modules/captcha/vendor/securimage

Cloning into modules/captcha/vendor/securimage...
remote: Counting objects: 271, done.
remote: Compressing objects: 100% (219/219), done.
remote: Total 271 (delta 74), reused 244 (delta 47)
Receiving objects: 100% (271/271), 2.05 MiB | 1.03 MiB/s, done.
Resolving deltas: 100% (74/74), done.
error: refs/remotes/origin/master does not point to a valid object!
error: Trying to write ref refs/heads/master with nonexistant object 1471a71
fatal: Cannot update the ref 'HEAD'.
Clone of 'https://github.com/dapphp/securimage.git' into submodule path 'modules/captcha/vendor/securimage' failed

Is there anything you or me can do about that?

Thanks for your help

I have implemented this solution for a client and we started to see the following errors come through on Mod_Security.

[Thu Oct 18 15:10:14 2012] [error] [client 64.26.149.130] ModSecurity: Access denied with code 400 (phase 2). Pattern match "%0[ad]" at REQUEST_URI. [file "/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf"] [line "211"] [id "950910"] [msg "HTTP Response Splitting Attack"] [data "%0d"] [severity "ALERT"] [hostname "www.rentechsolutions.com"] [uri "/rs/quote-submit/"] [unique_id "UIBUFkWgOwcAABbhfmMAAABM"]

This works fine in FF so I'm pretty sure it is all setup correctly. But in MSIE 8 it is not working. the session info is not being saved correctly or is getting overwritten. I did notice that if I refresh the image before submitting that it will work. If you do not refresh the value that it is comparing is not the value that was in the image. Instead of really debugging, I wrote some JS to reload the image after the page load to get it to work.

Hi!

I've implemented a contact form with the example at the root folder but it doesn't take email with '-' in it. [email protected] say "email invalid".

maybe use a simpler regex or a comment as reminder that regex aren't valuable solution to email validation...

Warning: is_executable(): open_basedir restriction in effect. File(/usr/bin/lame) is not within the allowed path(s): (/:/) in /***/vendor/dapphp/securimage/securimage.php on line 1361

securimage 3.6.5

workaround: option 'show_audio_button' => false for getCaptchaHtml

Securimage currently uses inline CSS and JavaScript in several situations, especially for reloading the captcha image and playing audio. Therefore it is necessary to allow inline scripts and styles in the Content Security Policy HTTP headers which is a potential security issue. Would it be possible to completely separate HTML, CSS and JavaScript using id and class attributes for CSS and JavaScript hook-ins?

Do you know about this exploit ?
http://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage/

Any ideas how to fix it ?

Hi,

Just a quick heads-up.

For the SWF changes I updated the securimage code to the latest sources from gihub. In 3.0.1 the audio gets cut off sometimes.

Audio generation is stable now compared to 3.0.1, but the generation speed has decreased significantly. While audio does not get cut off any more, it takes considerably longer before the audio generation is finished.

$img->font_ratio = 0.7; just sets default value 0.4 does not set to 0.7;

Line = 1409: $ratio = ($this->font_ratio) ? $this->font_ratio : 0.4;
Quick fix:
Changed to $ratio = ($this->font_ratio !=null) ? $this->font_ratio : 0.4;
and worked;

Due to the new gTLD fun a TLD can have up to 22 characters, at the moment, or 63 characters in theory.

I have this snippet in a form

<div class="col-md-6 form-group" style="margin-bottom: 5px; margin-top: 2em;">
                <a href="#" class="pull-right captcha-link" onclick="document.getElementById('captcha').src = '/assets/securimage/securimage_show.php?' + Math.random(); return false"><img src="/assets/securimage/images/refresh.png" style="width: 30px;"></a>
                  <img id="captcha" src="/assets/securimage/securimage_show.php" alt="CAPTCHA Image">
                  <input type="text" id="captcha_code" class="form-control required" size="10" maxlength="6">
</div>

Once the user enteres the characters there is an ajax triggered to a file containing
`<?php
require_once($_SERVER['DOCUMENT_ROOT'] . "/assets/securimage/securimage.php");

if(isset($_POST["captcha_code"])){
$securimage = new Securimage();
$result = array();

if($securimage->check($_POST["captcha_code"]) == false){
  // the code was incorrect
	$result["succcess"] = false;
	$result["error"] = $_POST["captcha_code"];
	echo json_encode($result);
}else{
	$result["succcess"] = true;
	$result['data'] = '<input type="hidden" name="cap" value="approved">';
	echo json_encode($result);
}
unset($_POST);

}
exit;
?>`

yet every initial time this event is triggered, even if the code is correct I get a return as false.
If I refresh the captcha, then enter the code it works just fine
If I do a js to trigger a click() on the a tag holding the captcha, again it works fine
But that first time on page load, never, even works the first time.

What could I be doing wrong? I have tried putting session_start() at begining on file and this does nothing.

Flash button is capable of loading custom images with a transparent BG, but flash itself will not be transparent through to the browser background.

Need to add the ability to pass a background color via the URL to flash to set the background color of the stage so the transparent images shows through to the set background.

How intagrate Securimage in OWA Exchange 2013?

You should add a session_write_close() call right before the exit statement in the output() method (https://github.com/dapphp/securimage/blob/master/securimage.php#L1253).

This forces php to save alle session variables.

PHP Warning: substr() expects at most 3 parameters, 4 given in /xxxxxx/securimage/securimage.php on line 2314

https://github.com/dapphp/securimage/releases

please push git tags to github, so the release tarballs would appear!

this would help distro packaging this code in (linux) distributions!

The upcoming 4.0 release is removing Flash audio fallback. Since no present versions of Internet Explorer support WAV in HTML5 audio and most people probably won't have LAME installed or know how to set it up, it's probably necessary to come up with an alternative for IE.

One possibility is to use the existing IE detection in securimage.js to go old school and drop an tag in the DOM for IE to play when the button is pressed.

Hey Drew,

while experimenting with different Fonts I noticed that it would be very handy to be able to configure letter-spacing for the Captcha - as some Fonts tend to be very tight together (unreadable) and others tend to be too wide ...
Maybe it would make sense to add this as an Option? ;-)

thx
Andreas Schnederle-Wagner

btw) my current config/font (at Site bottom) - guess that should be bot-proof again ;-): https://www.futureweb.at/

I have multiple forms on a page which seem to validate strangely or randomly.

1. If I enter the first code correctly, the same form will validate correctly every time until the code is entered incorrectly. After this validation always fails until I click on the image to reload it, then it all starts fine.
2. Regardless of the 1st form processed, any other form fails validation until the image is clicked to reload. Then it start passing as in point 1.

Namespaces don't seem to help.

This is the view.php:

echo '<div class="form-group">';
    $captcha->setNamespace($bUID);
    $captcha->display();
    echo $form->text('code'.$bUID, $code);
echo '</div>';

This is the controller.php:

$captcha->setNamespace($_POST['buid']);
if (!$captcha->check('code')) {
    array_push($this->form_errors, $this->error_code);
}

The $bUID is a unique form block number, that is each form field is unique.

Looks like even though each form is unique, the Securimage image is created one for all, not as one for each form. And the namespaces don't help for some reason.

Is there any way to create a captcha image with a unique code and path for each unique form?

So either please change the documentation/examples how to use the check() function or do a test within the check function if the parameter is really a string before passing it to validate().

If someone changes in a form input-tag from name="code" to name="code[blabla]", $_POST['code'] is passed as an array by PHP.

And then you get

Warning: strtolower() expects parameter 1 to be string, array given in /***/dapphp/securimage/securimage.php on line 2358

(securimage 3.6.5)

Background:

1. Audio captcha does not support iOS devices.
2. Safari of iOS initiates numerous HTTP range requests of audio file and server must return partial content to make the audio playable.
3. Audio captcha must return exactly the same generated wav file within the same session so that the return of range request can be combined correctly on Safari.

The following quick and dirty proof of concept has been made for a workable demonstration:-
1and2papa@4410b2e

On the Website, you make a test script available so prospective users can check that securimage will work in their environment. Unfortunately, it does not appear to be anywhere in this repository! This makes it somewhat difficult to offer enhancements.

This doesn't look right:

https://github.com/dapphp/securimage/blob/master/WavFile.php#L1771-L1776

filter() takes an array as the first arg

please remove default sound icon form audio btn, when external icon is set, otherwise default icon is visible until external is loaded

For nextgen branch.
Here is a screenshot http://prntscr.com/elz0cw.

Removed from example_form.php session_start() and it started working, because the Session Adapter already starting session, after this changes expiration time of captcha not working.

I have searched for issue and couldn't resolve it. Maybe it should be added to get function in Session Adapter.

I would expect the following code to generate a math captcha, but it keeps generating an alphanumeric captcha.

    <?php
    require_once('./inc/securimage/securimage.php');
    $securimage = new Securimage([
        'captcha_type'=>Securimage::SI_CAPTCHA_MATHEMATIC,
    ]);
    echo $securimage->getCaptchaHtml();
    ?>

Hi there, I'd like to know how to change default audio files :
This does not work

require_once __DIR__ . '/vendor/dapphp/securimage/securimage.php';
echo Securimage::getCaptchaHtml([
	'audio_path' => __DIR__ . '/php/secureimage/audio/en/'
]);

When I read docs :

$img = new Securimage();
$img->audio_path = $img->securimage_path . '/audio/de/'; // switch to German

but how do I then call a static method with an instanciated class ?

Thanks for your lights !

Cannot set session name within secureimage_show.php
$img->session_name = "MYSESSION";
constructor sets the session for the default php session value;

but it works if I change the session_name in securimage.php;

I think before the session start in constructor session name should be passed.

In Securimage::generateCode you generate random strings with php rand function which is not cryptographically secure.

As stated in php.net/rand:

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.

The problem with string not being cryptographically secure is that you can predict next values if you gather enough data. See here.

Here php.net user proposes mt_rand secure replacement which uses openssl_random_pseudo_bytes function. I will the paste code here:

function crypto_rand_secure($min, $max) {
        $range = $max - $min;
        if ($range == 0) return $min; // not so random...
        $log = log($range, 2);
        $bytes = (int) ($log / 8) + 1; // length in bytes
        $bits = (int) $log + 1; // length in bits
        $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes, $s)));
            $rnd = $rnd & $filter; // discard irrelevant bits
        } while ($rnd >= $range);
        return $min + $rnd;
}

crypto_rand_secure generates decimal random number between $min and $max decimal values.

I would like you to consider using this function instead of rand function. Of course Securimage would then be dependent on OpenSSL but then you could make fallback with:

if(! function_exists("openssl_random_pseudo_bytes"))
{
    // use rand
}
else
{
    // use openssl_random_pseudo_bytes
}

I could make pull request if you want (and if you agree with this whole argument ;) ).

It appears that securimage is intended to be mostly unrestricted in its use, considering the use of the BSD 2-Clause license in LICENSE.txt, and on the use of "BSD" in the license key of composer.json.

Unfortunately, the PopForge flash library on which it depends is licensed under GPLv3. The icons from the Humility pack are also licensed under (some version of) GPL. The GPL is, by design, viral; since securimage uses these components, the entire work is must be treated as effectively licensed under the GPL.

This is not immediately obvious, and does not seem desirable in a work nominally released under a permissive license like BSD 2. Finding more compatibly-licensed components seems desirable.

I am not a lawyer, etc.

Hello Drew,
Securimage audio button not show up in html code. When open URL in separate window it play audio. How to troubleshoot it ?

Slava.

Validation stopped working after version upgrade! It used to be php 7.0.
The new php issued a warning and I had to add such a line before session_start:
session_save_path($_SERVER['DOCUMENT_ROOT'].'/tmp'); And now checking captcha: if(!(new Securimage())->check($_POST['code']))`
not worked. In folder tmp create's file sess_10053rpm3n10dsa19392nlh9et

securimage_code_disp|a:1:{s:7:"default";s:7:"cyhm8sc";}securimage_code_value|a:1:{s:7:"default";s:7:"cyhm8sc";}securimage_code_ctime|a:1:{s:7:"default";i:1546968058;}securimage_code_audio|a:1:{s:7:"default";N;}
insert code cyhm8sc and not worked

Examples are using "audio_path" to specify securimage_play.php but it needs to be changed to "audio_file" for the new button.

You forgot to update the version number in README files to 3.6.5 ;)

Hello @dapphp !

At first, thank you for amazing and hard work!
I beg for help. I lose so much time to figure out a problem.
I've used your product for my project. It worked everything perfect at localhost. But when i publish it to a server (nginx), i can't even get loaded image. Sound loads well, but image won't display, and refresh button does not work.

There is errors

• Console:
  

• Network tab:
  

• Error log on server:
  

This is how it's looks like in form:

• Inspect element:
  

Thank you for you time!

hello,
i recently tried to clone your repo and encountered an error:

$ git clone 'git://github.com/dapphp/securimage.git'
Cloning into securimage...
remote: Counting objects: 587, done.
remote: Compressing objects: 100% (373/373), done.
remote: Total 587 (delta 252), reused 539 (delta 205)
Receiving objects: 100% (587/587), 10.20 MiB | 1.01 MiB/s, done.
Resolving deltas: 100% (252/252), done.
error: refs/remotes/origin/master does not point to a valid object!
error: Trying to write ref refs/heads/master with nonexistant object b3e4d81a88549b3acb035d7e7846eda96f1cd72a
fatal: Cannot update the ref 'HEAD'.

just wanted to let you know about this issue (might run git remote prune origin according to google)

Hi drew !
Would you know if it’s possible to start playing the audible captcha through javascript ?
Indeed, it would make the captcha more accessible for visually disabled people who can’t view the captcha on the page or use the keyboard navigation.
I managed to refresh the picture successfully by adding a link and a onclick event… but I can’t read the captcha (I can give the focus to the object through a link but don’t know what to put in the onclick event to actually read the captcha).
Thanks for your help,
Alexboss 8)

any chance for adding hand cursor for audio btn?

Hi,
I'm trying to make the audio work on my iPad / iPhone (with Safari), but it doesn't. The audio button renders the "loading" image after clicking it, but it stays in this state and no audio is played. The HTTP request is well processed (I checked in the Apache's log), and no error is triggered in the outputAudioFile() method either. I also tested using the "captcha.html" file provided with the package, and it doesn't work too (whereas everything works well on my computer, using Chrome, Firefox or MSIE). I've tested the demo on the phpcaptcha.org site, and I have no issue with my iPad. The only difference between your site and my server seems to be that Lame is not enabled on my side, so only wave audio is supported. Is that the point? Are iOS devices only supporting MP3 audio files?
Could you please check out that the audio works for you on iOS if the MP3 / Lame support is not available?
Thanks a lot for your help.
ML.

My custom items aren't displaying their texture, the URL is valid, it still says their custom item name, and still works like that item. it just doesn't have the texture. My block issue is that i can't destroy them once they are placed. But they do have the right texture on the ground but not in my hand. Spout Build: 545. Thats the latest for bukkit 1492.

Make this lib compatible with the PSR-4 Autoloader standard
https://www.php-fig.org/psr/psr-4/

Please add options to change the path and filename for errorlog file. I build a plugin for CMS CONTENIDO 4.9 and this cms has its own path for all logs. So i wanna save logs of securimage there, because the user can view all logs in backend of cms.

regards from germany
Ortwin

When I try to use the 3.6 version of Securimage on IE11, I've got the following JS error: copyElement() method doesn't exist. Indeed, I look into the securimage.js file, and the method is used but is not implemented. Maybe this is a JS core method, but it seems not to be understood my MSIE.
Could you please look into this?
Thanks a lot for your work.