Not Solved Bot seems like by passing Registration Security Question plugin
#11
Not Solved
I believe G33K stated that the stats aren't 100% accurate. Right now, I have 644 members, but the count is only up to 639 (I only have 1 security question).

You should change your questions. I haven't had 1 spam bot get through with the question that I'm using, and the answer is only 4 letters long.
Reply
#12
Not Solved
Re installing the plugin. Log out and try to register and see if there is a problem.
Reply
#13
Not Solved
This user has been denied support. This user has been denied support.
(2012-11-11, 08:34 PM)MonsterMMORPG Wrote: they are registering somehow without answering Registration Security Question

It seems to be possible with the current version of the plugin.

        $regq_id = intval($mybb->input['regsecureq_id']);
        // Only if id is valid, else we assume the regq block is not visible.
        if($regq_id > 0)

If the bot submits a registration form that doesn't have a regq_id in it, it just assumes that it didn't ask a question in the first place, and accepts the input. Thus it's bypassed. To fix, remove that if condition or replace it with if(1)

You could reject incomplete registration forms by using this code in member_do_register_start hook (use at your own peril, this one requires standard mybb captcha and registration security question plugins to be in active use):

global $mybb;

if(!isset($mybb->input[$mybb->settings['hiddencaptchaimagefield']])
   || !isset($mybb->input['regcheck1'])
   || !isset($mybb->input['regcheck2'])
   || !isset($mybb->input['regsecureans'])
   || !isset($mybb->input['regsecureq_id'])
   || !isset($mybb->input['language']))
{
     error("Internal error.");
}

It doesn't actually really prevent bypassing though, as bots can still post a regsecureq id <= 0.

The effectiveness depends on bot stupidity either way, as bots can simply be taught the correct answer to any question, and the bot can reuse that indefinitely, no matter how many questions you actually have because the client gets to choose which one it submits.
Reply
#14
Not Solved
The stats do have some problems causing it not to be an accurate count under certain conditions so I wouldn't place too much importance on the 1:1 compare of registrations vs correct answers.
I had planned a re-write of this plugin with additional features that would also make it more secure and in the process would also make the stats work perfectly (read below).

The above bug where the bots can bypass by setting regq_id to < 0 was actually brought to my attention a while back but I decided to hold off releasing an update as I had already started a rewrite of the plugin and I thought I would just release the new rewritten plugin including the fix for the bug.
However, due to time constraints, MyBB plugins have sort of taken a back seat for me for some time now and in hind sight I should have just released the fix rather than waiting to do the rewrite.
So, I'm going to release a quick update that fixes the above bug of bypassing the questions. The rewrite + fix for stats will come later on as I get more time to work on them.
Reply
#15
Not Solved
I've been noticing the same issue on my site droid-force.com, where a recaptcha plus the plugin is being bypassed and about 50 bot registrations per day.

I would also be grateful for the fix as and when it can be released.
Reply
#16
Not Solved
Agreed. G33K.. if you can provide an update on when this security update is expected to be released that would be much appreciated. I see from your last reply that you were going to release this as soon as possible, and this was over a week ago now.

Not that I am complaining, would just like to know when to expect this as it is a much needed security update, I have multiple forums being affected by this.

Thanks!
Reply
#17
Not Solved
(2012-11-17, 02:08 AM)- G33K - Wrote: The stats do have some problems causing it not to be an accurate count under certain conditions so I wouldn't place too much importance on the 1:1 compare of registrations vs correct answers.
I had planned a re-write of this plugin with additional features that would also make it more secure and in the process would also make the stats work perfectly (read below).

The above bug where the bots can bypass by setting regq_id to < 0 was actually brought to my attention a while back but I decided to hold off releasing an update as I had already started a rewrite of the plugin and I thought I would just release the new rewritten plugin including the fix for the bug.
However, due to time constraints, MyBB plugins have sort of taken a back seat for me for some time now and in hind sight I should have just released the fix rather than waiting to do the rewrite.
So, I'm going to release a quick update that fixes the above bug of bypassing the questions. The rewrite + fix for stats will come later on as I get more time to work on them.

any fix released for this ?
Pokemon Style With Lots Of Maps Monster MMORPG Game Developer
Reply
#18
Not Solved
This user has been denied support. This user has been denied support.
(2013-07-05, 11:27 AM)MonsterMMORPG Wrote: any fix released for this ?

No but I described what change you could make here

http://community.mybb.com/thread-129189-...#pid938626

That's about what I'm using and it still works well for me...

Alternatively I think there's another question plugin, maybe that'll work better for you.
Reply
#19
Not Solved
(2013-07-05, 11:33 AM)frostschutz Wrote:
(2013-07-05, 11:27 AM)MonsterMMORPG Wrote: any fix released for this ?

No but I described what change you could make here

http://community.mybb.com/thread-129189-...#pid938626

That's about what I'm using and it still works well for me...

Alternatively I think there's another question plugin, maybe that'll work better for you.

can you upload here working version ? your modified plugin thank you
Pokemon Style With Lots Of Maps Monster MMORPG Game Developer
Reply
#20
Not Solved
I know this thread is from a long time ago, but since people requested it, here's the updated regsecureq with a one-line security patch to work around the if($regq_id > 0) bug. I have tested it on my own tiny forum, and it appears to work.


.zip   regsecureq-2013-09-03.zip (Size: 149.41 KB / Downloads: 210)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)