
A patch to protect Mambo administrator login page
A Patch to protect Mambo administrator login page against brute force password attack!
How it is working?
- It is a component com_hashcash containing alls script to create a MD5 key in PHP and javascript, and verifying a challenge.
- The server is sending inside a hidden field a MD5 value which is directly linked to the server, user sessionid, time.
- The client will have to encrypt with a MD5 javascript (costly cpu operation for a spammer) the value of this hidden field and send it back to the server as hidden field name.
- If the test is not succesful, the spammer will get banned for 60seconds.
- All successful/unsucessful submit are logged in a file.
- When the file get bigger as 64kb, an email is sent to the admin.
Installation:
This component has no administration panel! Simply overwrite the file on Your server with the content of the zip. A component package install is on the way.
Original Mambo file affected for the login page:
- /administrator/index.php <- add verification of the challenge
- administrator\templates\mambo_admin\login.php <- insert hidden fields, and reference to MD5 javascript
- administrator\templates\mambo_admin_blue\login.php <- insert hidden fields, and reference to MD5 javascript
Future?
- Many cryptographic algorithm, SHA1 on the way,
- A mambots for changing on the fly all FORM before submit,
- Ako_comment has been already patched, and tested -> Waiting OK from Arthur Konze for releasing.
- Ako_guestbok must be changed