Jump to content

Recommended Posts

50 minutes ago, dfr717 said:

I believe the previous fix just resolved the 'Parse error' but the function itself doesn't actually work. I set the time to 60 seconds and I was able to make two accounts in less than 30 seconds, the second account shouldn't have been able to be created since the form was submitted twice from the same ip, correct?

No, that's not correct. There are two settings regarding the time.

The "Create Account Period" control how many minutes between create accounts are possible. So if you have it set to 30, it means that a second account cannot be created until 30 minutes after the first one was created.

The "Verify Time to Submit" setting looks at the number of seconds between account creations. So if it is set to 4 and you create a second account in 3 seconds, it will block you. When spammers create accounts, they may use a script to do so. And if the script is set to create multiple accounts, it will just take a few seconds for them to do that. A person, on the other hand, cannot create an second account in a matter of seconds so this setting won't affect them. If a spammer is filling out the form manually, then this option won't affect him either. It would only catch scripts that can quickly create accounts.

With that said, the code for that option will not work. To fix it, find the following in the includes/functions/honeypot.php file

        } else { //an entry for this IP doesn't exist so add one
            WriteToLog(sprintf(TEXT_CREATE_ACCOUNT_NEW_ACCOUNT, $cust)); 

and change it to

        } else { //an entry for this IP doesn't exist so add one
            if (defined('MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT') && tep_not_null(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
                if (! tep_session_is_registered('time_check')) {
                    $time_check = time(); 
                    tep_session_register('time_check');   
                }    
            }
            
            WriteToLog(sprintf(TEXT_CREATE_ACCOUNT_NEW_ACCOUNT, $cust)); 

Then replace this

function CheckTimeToSubmit() {
    if (! empty(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
        $diff = ((time() - $_SESSION['time_check']) / 3660) * 1000;               
        
        if ($diff < MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT) {
            return true;
        }  
        unset($_SESSION['time_check']);        
    }
    
    return false;    
}

with this

function CheckTimeToSubmit() {
    if (defined('MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT') && tep_not_null(MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT)) {
        if (tep_session_is_registered('time_check')) {
            $diff = ((time() - $time_check) / 3660) * 1000;               
            
            if ($diff < MODULE_HEADER_TAGS_HONEYPOT_VERIFY_TIME_TO_SUBMIT) {
                $time_check = time(); //keep active in case script continues
                return true;
            } else {
                tep_session_unregister('time_check');
            }              
        }
    }
    
    return false;    
}

 

Share this post


Link to post
Share on other sites

Hello @Jack_mcs

I have Honeypot set up to disallow URLs in the Contact Us form, and it seems to work on my end.  If I try to send one, I get this:

email.JPG.da9dd91d59aec779abfae33e25918ef4.JPG

However, I am still getting emails thru Contact Us with urls inserted.  The last one was just moments ago, lots of text in another language (Russian?) and it ends with this:

Всю статью читайте здесь: http://www.xxxx.blo.com/2019/11/force.html

I've edited the URL, so...not valid, but you get the idea.

How is that possible? 

- Andrea

 

Share this post


Link to post
Share on other sites
2 hours ago, puggybelle said:

How is that possible? 

Assuming you had HP installed previously, please verify the code near the top of the contact us page that calls the verify file is calling verify_general and not verify_contact_us.

Share this post


Link to post
Share on other sites
2 hours ago, Jack_mcs said:

Assuming you had HP installed previously, please verify the code near the top of the contact us page that calls the verify file is calling verify_general and not verify_contact_us.

Yep.  I had not changed the call from verify_contact_us to verify_general in contact_us.php

So excited to try the new HP I must have raced past that part.  Sorry!

- Andrea

Share this post


Link to post
Share on other sites
13 hours ago, puggybelle said:

Yep.  I had not changed the call from verify_contact_us to verify_general in contact_us.php

I was just notified that I failed to change the install instructions and they still mention the wrong module. So everyone should check their contact_us.php file and make sure they have honeypot_verify_general.php, not honeypot_contact_us.php. My apologies to anyone affected.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×