MyBB Community Forums

DennisTT suggest me new thread there, so i'm.

In public poll, malicious guest can disable cookie and voting many times.
(from: http://community.mybboard.net/newreply.p...pid=140860)

I thought about IP test for voting. My forum is for charity organization so many people can using internet cafe. I can block IP after vote for only 1 hour, maybe 30min. Malicious users can be little stopped, and other users from this internet cafe still have chance for voting.

I will add new field "voteip" to xxx_pollvotes. Next, for this ip (if exists) i can compare date with dateline (in polls.php, action==vote)

i'll use:

$IPx = $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"];
$proxy = $HTTP_SERVER_VARS["REMOTE_ADDR"];
$host = @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);

but maybe you have some function for this - i will make sure that i'm not destabilize my forum

DennisTT Wrote:IP addresses cannot really be relied on these days for voting because of NAT behind networks - all users of a local network share a common public IP address on the internet, the majority of AOL users use a list of transparent proxies and as a result they show up as having the same IP address as well.

Our IP address function is get_ip() and it is already assigned to a user in $session.

As for the double voting cookie problem, it is fixed already. If you wish to suggest other changes to the poll system, please make a thread in the suggestions forum or post on the ideas site.

I'm not 100% sure but for transparent proxy and "anonymous proxy" (transparent too) $HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]
give us correct ip. Only Elite proxy can't be detect this way

You can check this:

1. get fresh anonymous proxy from http://www.digitalcybersoft.com/ProxyLis...ransparent
   
2. set this proxy in your browser settings (firefox: Tools->options->advanced->network->settings)
   
3. next you can check you Anonymous and true IP on:
   http://www.engpol-community.org/abc.php
   

But i'm not sure how is this with AOL. Maybe somebody from AOL can check this for me

As I posted, AOL will hide the original IP.

MyBB already detects and uses the forwarded_for address if it is available.

Chris Boulton Wrote:MyBB already detects and uses the forwarded_for address if it is available.

I know, but i saw in admin cp settings:

- Time Between Registrations (The amount of time (in hours) to disallow registrations for users who have already registered an account under the same ip address.)

- Maximum Registrations Per IP Address
This option allows you to set the maximum amount of times a certain user can register within the timeframe specified above.

So, i thought that myBB have some "mechanism"

If you have guest voting on in polls...there is NO WAY you can prevent cheating...NONE. So easiest method is to only allow members to vote.

labrocca Wrote:If you have guest voting on in polls...there is NO WAY you can prevent cheating...NONE. So easiest method is to only allow members to vote.

Now I disable unregistered voting.

I think that CAPTCHA can little stop some people.
As I say it's possible that somebody use only link to poll.php with all params

http://www.some.site/forum/polls.php?act...36option=1

and he can send this link many times. But if myBB put there captcha, then this way can be blocked.

In far future: maybe something like "temporary registration": before voting or replay, user must give some temporary nickname, and is logged with this nick... and he have normal sid. When he want change sid, he must login next time on registration page... i think, this is boring job so can stop most of malicious people much better like only captcha.

This is only philosophise, but who know... maybe in myBB 2.24.53 this can be a reality

patrick_2007 Wrote:I think that CAPTCHA can little stop some people.
As I say it's possible that somebody use only link to poll.php with all params

http://www.some.site/forum/polls.php?act...36option=1

and he can send this link many times. But if myBB put there captcha, then this way can be blocked.

We could just block that with checking if the request method is POST. And change the poll form to POST instead of GET.

Why not
It's god idea CraKter, because most of "persona non grata" don't know html.
Other can write simple html page with some form...
still i can click "submit" until my finger is numb. Next i change finger

I think the only one way to protect before malicious people is... kill all malicious people