ports/93204: phpBB anti-DOS patch disallows visual authentication

Xin LI delphij at gmail.com
Wed Feb 15 18:30:13 UTC 2006 

The following reply was made to PR ports/93204; it has been noted by GNATS.

From: Xin LI <delphij at gmail.com>
To: Goyo Roth <sadangel at pow2clk.net>
Cc: freebsd-gnats-submit at freebsd.org, liukang at cn.freebsd.org, 
	delphij at delphij.net
Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication
Date: Thu, 16 Feb 2006 02:28:39 +0800

 > -----Original Message-----
 > From: sadangel at pow2clk.net [mailto:sadangel at pow2clk.net]
 > Sent: Tuesday, February 14, 2006 4:27 AM
 > To: delphij at delphij.net
 > Cc: Goyo Roth; freebsd-gnats-submit at freebsd.org;
 > liukang at cn.freebsd.org
 > Subject: Re: ports/93204: phpBB anti-DOS patch disallows
 > visual authentication
 >
 > The visual authentication is an image generated of a
 > seemingly random set
 > of numbers and letters by includes/usercp_confirm.php. It is
 > enabled in
 > the administrator's panel under "configuration" as I described in the
 > original report. One person's design decision is another
 > person's bug, but
 
 The "design" itself is, IMHO, apparantly yet another security
 vulnerability.  The PRNG usage in usercp_register.php is flawed where
 the random seed is initialized in a bad manner, moreover, it opens
 another vulnerablility which permits flooding to the CONFIRM_TABLE,
 from my first observations.
 
 > the fact is that this implementation depends on anonymous users having
 > their own session IDs that match the contents of the database
 > at a few key
 > points. When the patch I refer to is removed, visual
 > authentication works
 > fine.
 
 I am strongly against removing the patch you have mentioned, however,
 I would let the maintainer and the security officer to make a
 decision.
 
 I think this is nothing more than chown'ing everything to 777 and
 setuid them to get things "work".  phpBB 2.0.x series has a colourful
 history on security aspect, so I do not see much point to "fix" this
 terribly wrongly designed "feature".
 
 A potential compromise would be to make the patch optional, so the
 administrator can choose whether to apply it or not.  This can be
 implemented within half dozens of Makefile changes, along with
 renaming the patch to another name so it would not be picked up by
 bsd.port.mk automatically.  Since this downgrades the security of the
 port, we may have to get approval from the security team.
 
 Cheers,
 --
 Xin LI <delphij at delphij.net> http://www.delphij.net

More information about the freebsd-ports-bugs mailing list