Date: Sat, 11 Feb 2006 22:05:35 GMT From: Goyo Roth <sadangel@pow2clk.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/93204: phpBB anti-DOS patch disallows visual authentication Message-ID: <200602112205.k1BM5Zu0028175@www.freebsd.org> Resent-Message-ID: <200602112210.k1BMA32k014482@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 93204 >Category: ports >Synopsis: phpBB anti-DOS patch disallows visual authentication >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 11 22:10:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Goyo Roth >Release: 6.0-STABLE >Organization: University of Utah >Environment: FreeBSD legion.cavern 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 >Description: I've discovered that the phpBB port as patched by patch-includes-sessions.php disallows the creation of sessions for users who are not logged in. This plugs the DOS attack hole explained here: http://www.securityfocus.com/archive/1/360931. However, it also disallows the use of the visual authentication by user entering of random letters and numbers in distorted visual form. The current session ID is used to generate this image. The current session ID is accessed initially in register.php, in includes/usercp_confirm.php, and again in register.php when the response is submitted. If the anonymous user is not allowed to create a persistant session, each access requires the generation of a new session ID, none of which match so the image is not correctly generated, and, even if it were, it would not be validated. Ironically, it seems that the unavailability of this feature allows for another DOS attack in creation of new users automatically or by creation of new messages requesti ng registration if administrator authentication is enabled. The vulnerability this patch was meant to plug was reported in 2004, has phpBB really not plugged this hole by other means since then? If so, I haven't been able to find it in the code. I'm still looking. >How-To-Repeat: 1. Install the www/phpbb port. 2. Perform default install operations using WEBROOT/install/install.php page. 3. In the Administration panel, under General Admin and Configuration, set "enable visual confirmation" to yes. 4. Attempt to register a new user. The result is a request to verify the contents of a non-existant image. If the session ID is hard-coded into the image-generating file, the test of the users input still fails when the session ID changes yet again upon submission. >Fix: The simplest is to do away with the patch-includes-sessions.php patch. That solves it at the expense of potentially opening up the session id DOS attack vulnerability. Better solutions are probably possible such as limiting the number of anonymous sessions per IP. These would require more significant changes. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602112205.k1BM5Zu0028175>