Blog indexRollingšŸ„ŽblogPermalink


Jake Thoughts ā€” 05 Feb 2021 16:50:11 -0500

I am finally happy enough with how I implemented comment system on my blog. It was possible to leave a post on my blog for a while, but now I am finally talking about it.

You can find the source codes here (jcs-v08.tar.gz) (NSFW, super ugly code). Feel free to use any of them! Or do not, I don't care. Actually, if you want a comment system I suggest you make your own as that is a lot of fun and you learn some stuff about coding, html, and css. Be sure to understand what tainting is and how to untaint user submitted info.

Both scripts do one thing: comment.cgi reads comments, and post.cgi writes comments. Diligent observers will notice that my guestbook, guestbook.cgi is actually a different script. It is a modified version of comment.cgi with hard-coded values.

How do they work? Both read and write plain text files. Each comment is kept on one line. Substitution is heavily used by comment.cgi to make comments appear presentable. Both are written in Perl. I did not go for a database type of system as that, at least to me, seemed super overkill. Keep it stupid simple (KISS), as they say. My code has references to files like 'comment_form.html' and these are files which allow me to edit them and they get reflected without me editing the script itself to print html code which is an annoying hassle. The form allows post.cgi to work. Since I use SSI, all of my blog pages has this line of html: <!--#include virtual="../comment.cgi?blog=some-blog-post" -->. In this example, comment.cgi would try to load 'some-blog-post.txt'. It would replace and put 'some-blog-post' as the hidden blog value.

These scripts are definitely abuse-able in some way. I know for a fact that the following will work:

curl -d blog=guest -d captcha=thoughts -d comment=this-is-a-comment

This leaves an entry on the blog post 'guest', with the correct captcha, and a comment. A way to deal with this would be to roll out some kind of real captcha system or maybe if I wanted to make things hard, store IP addresses in logs and monitor the rate of commenting. I'm sure my meager website won't attract the attention of people who would automate the one line of code to run a thousand times... :). Well, since I decided to share that useful tidbit I guess I better think of some kind of captcha system that I could implement easily...

comment.cgi could create a file in '../tmp/captcha/' with the correct value and post.cgi can compare the values between the file in '../tmp/captcha/' and the user submitted value. The user submitted value will need to be untainted because comparing something like 'rm -rf /' may end badly for me. The main issue with it is there will be a lot of files created in '../tmp/captcha/' that will remain basically unused from people just looking at each blog post. A crontab might be able to clean it all up at the end of everyday depending on when the file was created. This would work and should not be that difficult to implement.

Issue then becomes what should the captcha be? It cannot be something hard-coded, or if it is then there has to be like a million hard-coded values as spam scripts could have only one captcha value and could get lucky enough times to spam... In other words, if I have 100 captcha answers, and assuming spammer is lazy, the spammer can have the script try one answer repeatedly without stopping for hours WHICH WILL WORK. Maybe some automatically generated math questions could work. Assuming the spammer is dedicated the spammer can easily write a script to circumvent that. Maybe I could ask things like "What country is Rome located in?" but then the spambot can search for that and return some answer. I am becoming aware of the fact captcha is not easy create efficiently without also impacting user experience. Maybe I could do something where images spell something..? But that is what 90% of other captcha systems do!

Well, I won't fret about it until I need to. That is it for this blog post. If you feel like you want to break my website through my comment section, do it with loveā¤

Other thoughts on 2021-02-16,20:51:34 said:


Lain on 2021-02-21,06:16:11 said:

0.81 Release Forgot to add proper comment files to the .tar.gz. Oops post.cgi had incorrectly nested <a><div> elements, when someone submits email with thier comment. Fixed. Get the latest with: curl > jcs-LATEST.tar.gz on 2021-07-24,23:26:44 said:

You can get some links from Monopoly Market: http://ebptv2ag6l35j5hsqxgjpeosimqnla7g7ru6amj44ydofksnquc3ziid.onion Monopoly has been built on requests from some of the most known vendors in the community, their intention is to provide a stable platform with a strong portfolio of vendors as apposed to spamming as many vendors as possible with the intention of generating as much revenue as possible from commission. The Versus Project: http://z6f7l7ty5fndd6xdc5opb3eoruudmxvmpvwmuidaq2hel5fnbqzo6wyd.onion Established since 2019, Versus Market is a forced multisig market with focus on community involvement and harm reduction to bring back the spirit of the golden age of Darknet Markets. ASAP Market: http://bkmwom6m2nvhoawvqpxpfy2jfdhgxq2iuxt7dvs7imjtaqi7nv4lfyid.onion ASAP Market is established early of January and has been online since March 2020. Safety and Good OPSEC is always our Market first priority. Everything from built from scratch. Experienced 5 years building market platform trusted by well known vendors. Ability of creating a long-term marketplace that will be the next top marketplace in DarkNet New concept completely re-design market features eliminating current marketplace flaws Kilos: http://gleikvbgv7vvdzbyyejwt3xksytg336vwaayxn4cjowq5lvmp5kwcfyd.onion Kilos is a DNM search engine, with a coin swap and bitcoin mixing service. Kilos has established itself on the scene as a trustable service.

Jake on 2021-07-25,04:31:51 said:

I cannot gurrentee the safety of accessing those links~ ^^

fonion on 2021-08-12,06:46:44 said:

Fresh Onions

Due to abuse (the comments you see now are not abuse), commenting will be disabled for sometime. Send an email or something.