ports/93204: phpBB anti-DOS patch disallows visual authentication
Xin LI
delphij at gmail.com
Wed Feb 15 18:30:13 UTC 2006
The following reply was made to PR ports/93204; it has been noted by GNATS.
From: Xin LI <delphij at gmail.com>
To: Goyo Roth <sadangel at pow2clk.net>
Cc: freebsd-gnats-submit at freebsd.org, liukang at cn.freebsd.org,
delphij at delphij.net
Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication
Date: Thu, 16 Feb 2006 02:28:39 +0800
> -----Original Message-----
> From: sadangel at pow2clk.net [mailto:sadangel at pow2clk.net]
> Sent: Tuesday, February 14, 2006 4:27 AM
> To: delphij at delphij.net
> Cc: Goyo Roth; freebsd-gnats-submit at freebsd.org;
> liukang at cn.freebsd.org
> Subject: Re: ports/93204: phpBB anti-DOS patch disallows
> visual authentication
>
> The visual authentication is an image generated of a
> seemingly random set
> of numbers and letters by includes/usercp_confirm.php. It is
> enabled in
> the administrator's panel under "configuration" as I described in the
> original report. One person's design decision is another
> person's bug, but
The "design" itself is, IMHO, apparantly yet another security
vulnerability. The PRNG usage in usercp_register.php is flawed where
the random seed is initialized in a bad manner, moreover, it opens
another vulnerablility which permits flooding to the CONFIRM_TABLE,
from my first observations.
> the fact is that this implementation depends on anonymous users having
> their own session IDs that match the contents of the database
> at a few key
> points. When the patch I refer to is removed, visual
> authentication works
> fine.
I am strongly against removing the patch you have mentioned, however,
I would let the maintainer and the security officer to make a
decision.
I think this is nothing more than chown'ing everything to 777 and
setuid them to get things "work". phpBB 2.0.x series has a colourful
history on security aspect, so I do not see much point to "fix" this
terribly wrongly designed "feature".
A potential compromise would be to make the patch optional, so the
administrator can choose whether to apply it or not. This can be
implemented within half dozens of Makefile changes, along with
renaming the patch to another name so it would not be picked up by
bsd.port.mk automatically. Since this downgrades the security of the
port, we may have to get approval from the security team.
Cheers,
--
Xin LI <delphij at delphij.net> http://www.delphij.net
More information about the freebsd-ports-bugs
mailing list