Jump to content

Re-Captcha2 no longer fit for purpose


keat
 Share

Recommended Posts

I've said for a while that re-captcha2 had been circumvented.

We get the occasional spam messages from our own web site, but yesterday I spotted that our web site is now sending spam externally via our contact form.

Looking in to how Re-Captcha has been circumvented, the bot apparently authenticates by requesting the audio challenge, and then transcribing this back in to text.

Ingenious.

 

So could anyone help me get invisible re-captch working on Mican and Korouto sknis, or suggest an alternative that works.

 

Link to comment
Share on other sites

@Bsmither.

Your thread only really refers to implimenting V2, which I already have.

V2 has been circumvented.

So ideally, I need to get invisible working or come up with an alternative to Re-Captcha

Link to comment
Share on other sites

The "invisible" mode of reCaptcha is still considered to be of the v2 'family'.

CubeCart's list of choices are numbered 0 (disabled), 1 (no longer a choice), 2, (standard 'I am not a robot' picture chooser), and 3 (invisible).

What you see in the code is the numerical index to CubeCart's internal list of modes of Google's reCaptcha v2.

 

Link to comment
Share on other sites

Posted (edited)

I followed the code on one of my Korouto sites, everything was in place apart from my ' content.recpature.php' had a lot more code inside it.

And I was missing element.recapctcha.invisible which I created.

The store still shows as not being compatible with invisible.

However, if I choose invisible, and then navigate to the contact form, i see no challenge (this is a good sign)

but when I try to send a form I get the following.

The following errors were detected:

  • The verification code was incorrect. Please try again.

So I then made content.recpature.php as per the code, but still the same error.

Edited by keat
Link to comment
Share on other sites

looking inside config.xml, my korouto skin is v1.0.3 which accoring the the cubecart extensions change log is compatible already with V2.

So am I missing anything more to make it V2 invisible compatible ?

Link to comment
Share on other sites

  • 2 weeks later...

Chaps..

 

This situation is embarrasing, I'm getting female members of my team telling me that they are receiving explicit messages from one of our contact forms.

Can anyone suggest how I get invisible working, failing that I'll have to employ the services of a dev to write something which works.

  • Like 1
Link to comment
Share on other sites

To review, please verify your skin has made the following changes:

The skin's config.xml, from:

</images>
</skin>

To:

</images>
  <!-- Use this to add custom variables into the skin which can be found in the smarty SKIN_CUSTOM array -->
  <custom>
    <recaptcha_badge_position>bottomright</recaptcha_badge_position><!-- Invisible Recaptcha Badge Position: bottomright, bottomleft or inline -->
  </custom>
</skin>
A new template, content.recaptcha.head.php, containing:

{if $RECAPTCHA}
<script src="https://www.google.com/recaptcha/api.js?onload=reCaptchaCallback&render=explicit" async defer></script>
{/if}
{if $RECAPTCHA=='3'}
<script>
var reCaptchaCallback = function() {
        $(".g-recaptcha" ).each(function() {
            var el = $(this);
            grecaptcha.render($(el).attr('id'), {
                'sitekey': '{$CONFIG.recaptcha_public_key}',
                'badge': '{$SKIN_CUSTOM.recaptcha_badge_position}',
                'callback': function(token) {
                    if($(el).attr("data-form-id")){
                        $('#'+$(el).attr("data-form-id")).submit();
                    } else {
                        $(el).parent().submit();
                    }
                }
            });
        });
    };
</script>
{/if}
The existing template, content.recaptcha.php, from:

{if $RECAPTCHA}
<fieldset id="recaptcha-title">
  <legend>{$LANG.form.verify_human}</legend>
  <script type="text/javascript">
   var RecaptchaOptions = {
      theme : 'clean'
   };
  </script>
  {$DISPLAY_RECAPTCHA}
</fieldset>
{/if}

To:

{if $RECAPTCHA=='1' || $RECAPTCHA=='2'}
<fieldset id="recaptcha-title">
  <legend>{$LANG.form.verify_human}</legend>
  {if $RECAPTCHA=='2'}
    {if empty($CONFIG.recaptcha_public_key) || empty($CONFIG.recaptcha_secret_key)}
  <p>{$LANG.form.recaptcha_key_not_set}</p>
    {else}
  <div class="g-recaptcha" data-sitekey="{$CONFIG.recaptcha_public_key}"></div>
    {/if}
  {else}
  <script type="text/javascript">
  var RecaptchaOptions = {
    theme: 'clean'
  };
  </script>
{$DISPLAY_RECAPTCHA}
  {/if}
</fieldset>
{/if}
A new template, element.recaptcha.invisible.php, containing:

{if $RECAPTCHA=='3'}
 data-sitekey="{$CONFIG.recaptcha_public_key}" data-callback="recaptchaSubmit"
{/if}
The template content.contact.php, from:

	{include file='templates/content.recaptcha.php'}
	<p><input type="submit" class="button_submit" value="{$LANG.documents.send_message}" /></p>
</form>

To:

	{include file='templates/content.recaptcha.php'}
	<p><input type="submit" class="button_submit g-recaptcha" value="{$LANG.documents.send_message}" /></p>
</form>
The template content.register.php, from:

	{/if}
	<p><input type="submit" name="register" value="{$LANG.account.register}" class="button_submit" /></p>
</form>

To:

	{/if}
	<p><input type="submit" name="register" value="{$LANG.account.register}" class="button_submit g-recaptcha" /></p>
</form>
The template content.checkout.php, from:

			{if $DISABLE_CHECKOUT_BUTTON!==true}
			<input type="submit" name="proceed" class="button_submit" value="{$CHECKOUT_BUTTON}" />
			{/if}

To:

			{if $DISABLE_CHECKOUT_BUTTON!==true}
			<input type="submit" name="proceed" class="button_submit g-recaptcha" value="{$CHECKOUT_BUTTON}" />
			{/if}
The template box.newsletter.php, from:

			<input type="submit" class="submit right" value="Subscribe" />

To:

			<input type="submit" class="submit right g-recaptcha" value="Subscribe" />
			<div class="hide" id="newsletter_recaptcha">
			{include file='templates/content.recaptcha.php' ga_fid="Newsletter"}
			</div>
The template content.product.php, from:

				<input type="submit" value="{$LANG.catalogue.submit_review}" class="button_submit" />

To:

				<input type="submit" value="{$LANG.catalogue.submit_review}" class="button_submit g-recaptcha" />
The template main.php, from:

</head>

To:

{include file='templates/content.recaptcha.head.php'}
</head>

CubeCart determines if the reCaptcha version 2 can be seen in the currently selected storefront's default skin (as set in the Layout tab, and the cache has been cleared) if the template 'content.recaptcha.head.php' exists, and if the invisible mode can be seen if the template 'element.recaptcha.invisible.php' exists. The code for this can be seen in the admin /source/settings.index.inc.php, near lines 462-465. If these templates do not exist in the currently selected default skin, there will be a message that these modes are not available for the currently selected default skin.

The above skin edits were taken from an experiment on the e-Tone skin. There may be slight differences in class names as compared to Kurouto.

Link to comment
Share on other sites

Posted (edited)

There are too many differences in the code you supplied to what I'm actally finding in Kurouto.

I'm cutting and pasting what I think ought to be cut and paste, but I can already see there are going to errors.

I don't know enough about PHP to be able to safely decipher the differences.

 

I tried and broke the web site instantly.

Edited by keat
Link to comment
Share on other sites

just the first step alone.

 

My config.xml is populated with all sorts.

I found a number of discrepancies between your etone and my korouto

 

<?xml version="1.0"?>
<skin version="3.1">
  <info>
    <!--
    UIDs can be generated on the unix/linux command line using `uuid -v4`, or you can use any string, as long as you think it wont accidentally be picked by anyone else
    A good example of the latter would be something like '[email protected]'. While not necessarily an active email address, it's a pretty good approximation of a unique key
    -->
    <uid>[email protected]</uid>
    <type>skin</type>
    <name><![CDATA[kurouto]]></name>
    <display><![CDATA[Kurouto]]></display>
    <version>1.0.3</version>
    <minVersion>5.0.0a</minVersion>
    <maxVersion>5.1.*</maxVersion>
    <creator>CubeCart Ltd</creator>
    <homepage>http://www.cubecart.com</homepage>
    <mobile>false</mobile>
  </info>
  <layout>
    <products>
        <perpage amount="6" />
        <perpage default="true" amount="12" />
        <perpage amount="24" />
        <perpage amount="48" />
        <perpage amount="96" />
    </products>
  </layout>
  <styles>
    <style images="true" default="true">
      <!-- images: TRUE tells the template system that this style has its own image folder. FALSE would use the contents in the root of the images folder -->
      <directory>blue</directory>
      <name><![CDATA[Blue]]></name>
      <description><![CDATA[Blue style]]></description>
      <default />
    </style>
    <style images="true">
      <directory>green</directory>
      <name><![CDATA[Green]]></name>
      <description><![CDATA[Green style]]></description>
    </style>
    <style images="true">
      <directory>grey</directory>
      <name><![CDATA[Grey]]></name>
      <description><![CDATA[Grey style]]></description>
    </style>
    <style images="true">
      <directory>orange</directory>
      <name><![CDATA[Orange]]></name>
      <description><![CDATA[Orange style]]></description>
    </style>
    <style images="true">
      <directory>purple</directory>
      <name><![CDATA[Purple]]></name>
      <description><![CDATA[Purple style]]></description>
    </style>
    <style images="true">
      <directory>red</directory>
      <name><![CDATA[Red]]></name>
      <description><![CDATA[Red style]]></description>
    </style>
  </styles>
  <images>
    <!-- Common -->
    <image reference="thumbnail" maximum="138" quality="75" default="noimage_thumbnail.png" />
    <!-- Category Page -->
    <image reference="category" maximum="580" quality="100" default="" /><!-- Doesnt need a default -->
    <image reference="subcategory" maximum="70" quality="70" default="noimage_subcategory.png" />
    
    <!-- Product Page -->
    <image reference="gallery" maximum="50" quality="60" default="noimage_gallery.png" />
    <image reference="normal" maximum="270" quality="90" default="noimage_normal.png" />
    <image reference="enlarge" maximum="600" quality="90" default="" /><!-- Doesnt need a default -->
    
    <!-- Possible names (sizes): thumbnail (138), product(300-ish), enlarged (big), zoom (bigger, poss. source?) -->
    
    <!-- These are the ones currently in use -->
    <image reference="tiny" maximum="30" quality="75" default="noimage_thumbnail_tiny.png" />
    <image reference="small" maximum="138" quality="75" default="noimage_thumbnail.png" />
    <image reference="medium" maximum="270" quality="90" default="noimage_normal.png" />
    <image reference="large" maximum="600" quality="90" default="" /><!-- Doesnt need a default -->
  </images>
 
</skin>

 

 

 

 

 

The skin's config.xml, from:

</images>
</skin>

To:

</images>
  <!-- Use this to add custom variables into the skin which can be found in the smarty SKIN_CUSTOM array -->
  <custom>
    <recaptcha_badge_position>bottomright</recaptcha_badge_position><!-- Invisible Recaptcha Badge Position: bottomright, bottomleft or inline -->
  </custom>
</skin>
Link to comment
Share on other sites

Please observe the differences between the 'from' code versus the 'To' code. Then, find those lines specified in the 'from' section. The specified lines could be anywhere in the file, and may have extremely minor differences, but should be easy enough to locate.

For example, in your code posted above, the last two lines (mostly) match:

  </images>
 
</skin>

Between those two lines, add the following changes:

  <!-- Use this to add custom variables into the skin which can be found in the smarty SKIN_CUSTOM array -->
  <custom>
    <recaptcha_badge_position>bottomright</recaptcha_badge_position><!-- Invisible Recaptcha Badge Position: bottomright, bottomleft or inline -->
  </custom>

For the template file edits, note the essential difference between the 'from' section versus the 'To' section.

Among all the lines of code in the template files, locate just the one line (or two, three) specified in the 'from' section. Apply the difference noted.

Link to comment
Share on other sites

maybe that was a poor example.

 

Some of these things your'e suggesting to add already exist, which makes me think that the skin has maybe already been modified.

eg: content.recaptcha.head.php, you're suggesting to create this file. but it already exists.

So I'm unsure as to leave it or modify it.

 

{if $RECAPTCHA=='2' || $RECAPTCHA=='3'}
<script src="https://www.google.com/recaptcha/api.js"></script>
{/if}
{if $RECAPTCHA=='3'}
<script>
function recaptchaSubmit(token) {
    $('.g-recaptcha').closest("form").submit();
}
</script>
{/if}

Edited by keat
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...