WHMCS 6.3 - recent ticket SPAM, recaptcha does not show up

[postcd]

Hello, in WHMCS 6.3 in last days i started receiving significantly higher amount of SPAM support tickets than before. (bot spam not real people)

So i tried to switch "Captcha Type" from "Default (5 Character Verification Code)" to "reCAPTCHA (Google's reCAPTCHA system)"

I seen i already had prefilled public and private key there and i verified it is correct/same with keys in my google account where i added my site already.

But when i open contact form as a non logged in user in Firefox and Tor browser, it does not show up the recaptcha, it shows only:

Quote

 

"Spam Bot Verification

Please enter the characters you see in the image below into the text box provided. This is required to prevent automated submissions."

 

When submitting, it says "The characters you entered didn't match the image shown. Please try again."

Is there any work around/hack (by editting some files) so i can prevent support ticket SPAM?

The default WHMCS 5 chars. captcha show up, but SPAM bots started going over it.

In recaptcha account, server side integration URL is: https://www.google.com/recaptcha/api/siteverify

<script src='https://www.google.com/recaptcha/api.js'></script>

<div class="g-recaptcha" data-sitekey="PubKeyHere"></div>

I see my recaptcha is "v2" type\

Update: The cause of this issue was Content-Security-Policy in .htaccess file that denied google domain.

 

[brian!]

I don't know if it works, but...

 

[postcd]

On 23. 5. 2018 at 7:44 PM, brian! said:

I don't know if it works, but...

I have tried to turn:

Quote

{if $captcha eq "recaptcha"}
   {$recaptchahtml}
{else}

in /templates/default/includes/captcha.tpl to:

Quote

{if $captcha eq "recaptcha"}
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
    <div id="google-recaptcha" class="g-recaptcha center-block" data-sitekey="{$reCaptchaPublicKey}"></div>
{else}

as mentioned on Yours linked page, but the recaptha does not show, only shows:

Quote

"Spam Bot Verification

Please enter the characters you see in the image below into the text box provided. This is required to prevent automated submissions."

On other sites i do not have issue with recaptcha.

I also tried to apply code i seen in my google account:

Quote

Paste this snippet before the closing </head> tag on your HTML template:<script src='https://www.google.com/recaptcha/api.js'></script>Paste this snippet at the end of the <form> where you want the reCAPTCHA widget to appear:<div class="g-recaptcha" data-sitekey="mykeyhere"></div>

and also tried:

Quote

                {if $captcha eq "recaptcha"}
                    {$recaptchahtml} test
                {else}

But either that not worked, not show it, even not shown "test" word.. Please any other idea how to make alternative captcha service like recaptcha/keycaptcha.. or custom anti-spam question working on WHMCS 6.3?

Edited June 7, 2018 by postcd

[brian!]

somewhere in my mind, I think I recall @whmcs chrisd stating that v6 uses v1 version of recaptcha - but that was disabled by Google in March 2018...

https://developers.google.com/recaptcha/docs/faq#what-happens-to-recaptcha-v1

Quote

Any calls to the v1 API will not work after March 31, 2018. Starting in November 2017, a percentage of reCAPTCHA v1 traffic will begin to show a notice informing users that the old API will soon be retired.

other than that thread I linked to, i'm not aware of any other solution.

[postcd]

@brian!

Edited June 7, 2018 by postcd
unable to add any text after i mention user. it seems like a bug of this community CMS

[postcd]

@brian! i tried that solution, but got mentioned results. Is there any HWMCS file that can prevent the recaptcha loading as i did it in my previous post? Or why that does not work? It seems like it do not load anything, even plain text.

Edited June 7, 2018 by postcd

[brian!]

4 hours ago, postcd said:

@brian! i tried that solution, but got mentioned results. Is there any HWMCS file that can prevent the recaptcha loading as i did it in my previous post? Or why that does not work? It seems like it do not load anything, even plain text.

have a look at the modified contact.tpl template attached - i've embedded v2 Google Recaptcha in it - no hooks (not sure you could do it via this method with a hook) - anyway, there's 2 js scripts at the top of the page, i've replaced the captcha include that was there with the usual way to display a v2 recaptcha and a slight modification to the submit button to validate that captcha has been completed... if it hasn't and they try to submit, they'll get a js popup error message... not overly pretty, but it should suit your needs.

tested on a v6.3.1 dev, but I can see nothing that would prevent it from working on earlier/later releases... again untested, but you should be able to add those 2 js scripts to supportticketsubmit-steptwo.tpl, make a similar change to the button tag and it should work when submitting tickets too... i'm sure you'll let me know if it doesn't!

contact.tpl

[postcd]

Thank You, it would help if you can mention step by step what to do. I am unsure if i understood all necessary steps to do so here is what i did:

When i replace my templates/default/contact.tpl by the one you attached in your previous post and add

Quote

<script src='https://www.google.com/recaptcha/api.js'></script>
<script type="text/javascript">
    function callValidation(){

    if(grecaptcha.getResponse().length == 0){
            alert('Please complete the Google reCAPTCHA checkbox');
            return false;
        }
        return true;
    }
</script>

to the templates/default/supportticketsubmit-steptwo.tpl then the Contact Us page is blank and infinitely loading. When i remove above printed javascript blocks from supportticketsubmit-steptwo.tpl, then contact page loading, but not show recaptcha.

You mentioned also: "make a similar change to the button tag", this i do not understand.

This is in supportticketsubmit-steptwo.tpl

{if $capatacha eq "recaptcha"}
<div align="center">{$recapatchahtml}</div>
{else}

Unsure if it should be replaced by something else.

Edited June 8, 2018 by postcd

[brian!]

1 hour ago, postcd said:

Thank You, it would help if you can mention step by step what to do.

in terms of contact.tpl, it should be just a simple replace of the file - but this idea is based on a clean v6.3.1 dev using Six, so if you've customised your theme in some way, or are using another template, then you could be running into js clashes.

1 hour ago, postcd said:

I am unsure if i understood all necessary steps to do so here is what i did:

When i replace my templates/default/contact.tpl by the one you attached in your previous post and add

ah ok, there's the problem - the "default" template got deprecated 3 years ago in v6.0 and replaced by "Five"... that might have been worth mentioning in your OP! I don't even have default in the v6 dev as it was a clean install and it's no longer shipped with that template.

quickly added the code to five/contact.tpl and it works fine...

and similarly to the step2 ticket page...

comparing my v5.3.12 dev "default" contact template to the v6.3.1 "five" contact template, they are exactly the same - there are 2 or 3 differences in step 2 template, so you may be better off adding the code manually to that template...

• paste the 2 js to the top of the file (or after the pageheader include)
• replace the {if captcha} block with the recaptcha div below and add  onclick="return callValidation();" to the submit button...

  <div class="g-recaptcha" data-sitekey="{$reCaptchaPublicKey}"></div><p>

  otherwise, i've attached the two modified template files from "Five".

 

contact.tpl

supportticketsubmit-steptwo.tpl

[postcd]

When i use yours attached supportticketsubmit-steptwo.tpl , then the "Contact us" page shown:

Quote

supportticketsubmit-customfields.tpl is missing

So it is maybe differences between default and five templates.

But i have found the cause of Recaptcha not show up. It was .htaccess file which contained Content-Security-Policy rule/s that prevent connecting to any domain (including google.com, gstatic.com) that is not explicitly whitelisted in the rule. Now the recaptcha works. Thank you for help.