Date: Wed, 15 Feb 2006 18:30:12 GMT From: Xin LI <delphij@gmail.com> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication Message-ID: <200602151830.k1FIUCq1054420@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/93204; it has been noted by GNATS. From: Xin LI <delphij@gmail.com> To: Goyo Roth <sadangel@pow2clk.net> Cc: freebsd-gnats-submit@freebsd.org, liukang@cn.freebsd.org, delphij@delphij.net Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication Date: Thu, 16 Feb 2006 02:28:39 +0800 > -----Original Message----- > From: sadangel@pow2clk.net [mailto:sadangel@pow2clk.net] > Sent: Tuesday, February 14, 2006 4:27 AM > To: delphij@delphij.net > Cc: Goyo Roth; freebsd-gnats-submit@freebsd.org; > liukang@cn.freebsd.org > Subject: Re: ports/93204: phpBB anti-DOS patch disallows > visual authentication > > The visual authentication is an image generated of a > seemingly random set > of numbers and letters by includes/usercp_confirm.php. It is > enabled in > the administrator's panel under "configuration" as I described in the > original report. One person's design decision is another > person's bug, but The "design" itself is, IMHO, apparantly yet another security vulnerability. The PRNG usage in usercp_register.php is flawed where the random seed is initialized in a bad manner, moreover, it opens another vulnerablility which permits flooding to the CONFIRM_TABLE, from my first observations. > the fact is that this implementation depends on anonymous users having > their own session IDs that match the contents of the database > at a few key > points. When the patch I refer to is removed, visual > authentication works > fine. I am strongly against removing the patch you have mentioned, however, I would let the maintainer and the security officer to make a decision. I think this is nothing more than chown'ing everything to 777 and setuid them to get things "work". phpBB 2.0.x series has a colourful history on security aspect, so I do not see much point to "fix" this terribly wrongly designed "feature". A potential compromise would be to make the patch optional, so the administrator can choose whether to apply it or not. This can be implemented within half dozens of Makefile changes, along with renaming the patch to another name so it would not be picked up by bsd.port.mk automatically. Since this downgrades the security of the port, we may have to get approval from the security team. Cheers, -- Xin LI <delphij@delphij.net> http://www.delphij.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602151830.k1FIUCq1054420>