Can you tell us a bit about your website?

vtchernoff.ru - guitarist and guitar teacher (Moscow, Russia)

How did you discover the Commentics site?

Google search ('free comments script') - Commentics was the first in search results.

What made you choose the script over others?

1) Incredible demo.
2) Extremely good support: guides, forum, FAQ.
3) The script itself - pro made, easy to install and to integrate, freaking nice customization (CSS and admin panel).

What advice would you give to fellow admins?

Donate, fellows! These guys deserved it!

How, if at all, did you customize the script?

Check it out vtchernoff.ru/inception1_test.html. The hardest part for me (I'm a total noob in PHP and stuff, except CSS and HTML) was to add the button of the Russian social network vk.com. But I did it.

What would you like to see added or improved?

Social buttons are hidden without the first comment by default. Do you think it is right? Maybe the buttons should be visible without the first written comment?

Have you ever needed to use the support site?

Definitely, 'coz I'm a noob.

Has Commentics helped your website so far?

No, because only 2 days past my integrating the script.

Would you recommend Commentics to others?

No, it is too cool to recommend. I'm not kidding.

Do you have any final words to add?

THANK YOU
THANK YOU
THANK YOU

I will make my donation one of these days.

• You can now follow each change to the code as it's made. This will allow you to see the improvements and fixes in real-time and, where appropriate, provides a way for you to merge these into your own copy before they are officially released!
• You will be able to "fork" the code in order to submit your own changes to the project so that they can be considered for inclusion. This will allow for unlimited involvement as you could submit anything from a single bug fix to a series of new features.
• Git and GitHub will track each change so that it can offer an advanced form of version control. This means that if one of the changes ever needs to be reverted then this can be done with ease. Even multiple branches can be developed for each feature.
• Upgrades will be easier if you have made any custom alterations, as you will be able to see the exact differences to the files that you had altered.

Learning how to use Git and GitHub can be a very steep learning curve, particularly if you're not familiar with version control, so it's expected that to begin with only serious developers will be able to fully participate in this process. However, over time you should find documentation on this website to help try to make it as simple as possible.

At the moment there is no code development to watch, as focus is solely on the commentics.org website (you may have noticed the new mega menu). The code that is there at present is an unmodified v2.3. Once the next version is started on you will be able to make the most of this new milestone in the project.

Frontend

/comments/includes/tasks/delete_comment_ips.php
/comments/includes/tasks/delete_inactive_subscribers.php
/comments/includes/tasks/delete_reports.php
/comments/includes/tasks/delete_unconfirmed_subscribers.php
/comments/includes/tasks/reactivate_inactive_subscribers.php

/comments/includes/words/spiders.txt

Backend

/comments/admin/includes/pages/task_del_bans.php
/comments/admin/includes/pages/task_del_comment_ips.php
/comments/admin/includes/pages/task_del_inactive_subs.php
/comments/admin/includes/pages/task_del_reports.php
/comments/admin/includes/pages/task_del_unconfirmed_subs.php
/comments/admin/includes/pages/task_del_voters.php
/comments/admin/includes/pages/task_re_act_inactive_subs.php

/comments/admin/images/rich_snippets/example_review.png

Perhaps the most noticeable difference in this version is the addition of the permalink feature. The permalink feature provides a link which will always take you to the particular comment, no matter what page the comment ends up on. This is useful if you want to share or bookmark the location of a comment and be able to return to it at a later date. The permalink feature highlights the comment by darkening its border, just in case the anchor wasn't able to position the scrollbar to its location.

An important change in the new version is the performance of the comments loop. It was clear that the demo here at commentics.org was starting to suffer from the 1,500+ comments, as it was taking around 6.897 seconds to load. By making a few small improvements to the comments loop, such as selecting only the information necessary from the database, and exiting the loop as soon as it's no longer needed, the demo now loads in approximately 2.512 seconds, which is a 63.58% improvement! This change is expected to be only the start of a number of changes to improve the performance of the script.

To keep the script up-to-date with new developments, the frontend now validates for the upcoming HTML5. HTML5 has some nice changes and the admin panel for Commentics is already taking advantage of them. These include using the 'input type=email' which instructs the web browser that an email address should be entered, and the 'required' attribute which tells the browser that an entry is needed. As HTML5 is still in draft form, some browsers such as Internet Explorer are yet to support these parts of it but they will degrade gracefully. Although the frontend now validates, the admin panel still needs a few changes so these will be made in a future version.

The improvement that took the largest proportion of time was fixing how the script encodes and handles certain characters. To do this, many test strings were created that aimed to highlight the issues that needed fixing. For example, the name field may have had an entry such as "Mr. ö-ç學書'&", and this entry would then have been tracked throughout the rest of the script like when saving and editing it in the admin panel and receiving it as an email. The script now has a better understanding of unicode characters and it also treats the handling of URLs better by encoding spaces. Harmless characters like "ö" and "ç" are no longer converted to their HTML entities.

There are many other improvements and fixes that were made which make this version the best yet. It's planned that over the next few weeks the commentics.org website will now receive some focus. This may include enhancing the documentation and encouraging more community involvement with the project, so watch out for such changes in the near future.

It replaces the current image captcha, ReCaptcha, with Securimage. Securimage is a self-hosted solution which requires the GD 2.0 library and FreeType to work. A few people have requested this add-on due to privacy concerns about the tracking capability of ReCaptcha, and its aesthetically large size.

See below screenshot.

It changes the time of the comments so that they are auto-updated with a time like "2 minutes ago" or "about 1 day ago". It uses a jQuery plugin, of the same name, found here.

See below screenshot.

Here is the admin panel setting, located in Layout -> Order:

And here is the frontend result:

Login Improvements

A few improvements have been made to the login page. The first being brute-force protection to stop someone (or something) from repeatedly guessing at your username and password. The script will enforce a timeout of 30 minutes after 3 failed attempts and a further 30 minutes for each failed attempt thereafter.

If the attacker is persistent and makes 10 attempts at a specific account then that account will be locked as a precaution. You can then take the appropriate action to stop the attacker from accessing the page again.

The password reset page has also been improved. There is now a limit to how many consecutive resets can be made per account. This is to stop someone from sending you a password reset email however many times they wish. The limit will be 5.

Restrict Pages

Elsewhere, a new feature being introduced is the ability to restrict the admin panel pages an administrator can view. This is useful if you want a moderator to approve your comments but you don't want to allow them access to everything. To use this feature, you would go to the Edit Administrator page where you will see a 'Restrict Pages' checkbox.

If you click this, it will open up a user-friendly list of pages:

After configuring the list, when the administrator next logs in, they will see a limited menu:

And if they try to directly navigate to a restricted page, they will see this:

Quick Approve

If you are manually approving all comments then currently you need to edit each comment to approve it. Now, you can quickly click an Approve link on the Manage -> Comments page. Next to the Approve link is a link to send a notification email of the comment to your subscribers.

Multiple Answers

For the question captcha it is sometimes easier for the user if there are multiple answers. For example, they may type 14 instead of fourteen, or vice-versa.  Now, you can separate multiple answers with the | (pipe) character.

Sort By

On the frontend the Sort By links have been changed to a drop-down. This is better because it takes up less space and lets the user focus on more important parts such as the comments.

There are many other improvements, mostly behind the scenes, which will make Commentics v2.2 an even better script.

Details

On June 20th, a report was submitted to SecurityFocus detailing several exploits with Commentics v2.0. The exploits affect all versions of Commentics. All of the exploits listed require either an administrator to knowingly carry out the attack (unlikely) or an administrator to unknowingly carry out the attack by CSRF (more likely). If you don't know, CSRF (Cross-site request forgery) is basically when the hacker creates a link or creates a form on their own website which submits data to your admin panel. The hacker cannot click the link or submit the form because they would encounter the login system, so they need you to submit it for them. They will disguise the link or form to look genuine so they can trick you into submitting it. If you submit it, you will be taken to your admin panel where the attack will take place.

There are a few obstacles for the hacker. Firstly, they need to know the location of your admin folder. All versions of Commentics have required the administrator to change the location of their admin folder. Secondly, you would have to be logged in to your admin panel when you submit their link/form, as otherwise you will encounter the login system and the attack would not work.

What attacks are possible?

1. The person who created the security report talks about using the database backup deletion feature to traverse outside of the backup folder and delete other files from the website. This is fixed in v2.1 in several ways. Firstly, the URL parameter for the backup file is protected by PHP's basename function. This removes any periods and slashes so that only the clean trailing part is remaining. To make sure, this trailing part is then checked to make sure that it is only a mixture of letters/numbers, and that it is exactly 20 characters. Also, the file extension is added by the code itself and not included in the parameter. Lastly, it is protected by a CSRF key which is discussed later.

2. There were cross-site scripting (XSS) vulnerabilities on a few of the admin panel pages, mainly the edit_* pages where the ID parameter wasn't validated thoroughly. This may have allowed someone to execute arbitrary JavaScript. Note that again this exploit requires the unlikely CSRF type attack. This is fixed in v2.1. The ID parameter is checked to make sure that it is a number, while it is also checked to make sure that the record, whether it be a comment, page, ban, subscriber or admin, actually exists.

3/4. The previous two attacks have been URL-based. The attacks for 3 and 4 are form-based. Using the CSRF method, it may have been possible for the hacker to get the administrator to submit any of the forms in the admin panel. A common form that a hacker would want to target is the one on the Settings -> Administrator page, which is given as an example in the security report, because this would enable the hacker to change your login details and gain access to the admin panel. This is fixed in v2.1 with general CSRF protection discussed next.

Commentics v2.1 implements the general CSRF prevention methods recommended here. The main way of protection is the "Synchronizer Token Pattern". This adds a hidden input field to every form in the admin panel and the input field contains a token from the administrator's session. The hacker won't know this token so they won't be able to add it to their form on their own website. When the forms are submitted, Commentics checks that this token is submitted and it checks that it is correct. The same applies with the URL on some pages except the token is submitted as a parameter. A second protection has also been added where the admin panel checks to make sure that you were referred from within the admin panel. If you arrive at an admin panel page from another website then the script will inform you of this and ask that you access the page using the admin panel's menu links. For this reason, the 'referrer check' is enabled during the upgrade process in case you have disabled it in the past.

In general, make sure that you only allow trusted administrators to log in to your admin panel, and be careful about what websites you visit while logged into the admin panel. Also, don't share the location of your admin panel, and don't share any of the admin panel URLs that contain the 'key' parameter.