Thursday, July 19, 2007
Stuff >

In some dimly remembered past lost in the swirling mists of time, I wrote a web gadget I called Quotebox. I don't recall why; I think it was mostly an excuse to see if I could meld graphical elements from POV-Ray with a web site. The answer, obviously, is yes. It doesn't really serve any purpose beyond that, though, and I doubt anyone ever looks at it.

Except the spammers.

I hadn't looked at it myself in ages, but I was tweaking the site yesterday, and I wanted to check out the old quotebox. There were something like 2500 spam quotes in the box. The best part is, most contained URLs, with tags, that were rendered in the box so poorly (because it specifically does not render html tags) that even if one did want cheap cialis, that idiot would have to copy and paste the URLs from the mess.

Why?

So, I added my captcha code to it, too. For some miraculous reason, the captcha has completely eliminated blog spam. We'll see if it has the same effect on the quotebox.

While doing that, though, I noticed that I was giving away the keys to the castle. The form you submit the captcha on had a hidden input with the md5 hash of the captcha. If one had wanted to bypass the captcha, all he would have to do is post his own form with his own md5 hash and captcha text. My script would have compared whatever text he sent with whatever hash he sent and happily approved the post. Now, it was intended to be a quick and dirty hack; but I'm ashamed of how dirty that one was. It is now more secure. It's not very secure, but at least there is a part of the equation that an attacker can't know.

Take that, miscreants!

Add New Comment: