From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Feb 15 18:30:13 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA14516A420 for ; Wed, 15 Feb 2006 18:30:13 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B18AF43D55 for ; Wed, 15 Feb 2006 18:30:12 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1FIUC1L054423 for ; Wed, 15 Feb 2006 18:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1FIUCq1054420; Wed, 15 Feb 2006 18:30:12 GMT (envelope-from gnats) Date: Wed, 15 Feb 2006 18:30:12 GMT Message-Id: <200602151830.k1FIUCq1054420@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org From: Xin LI Cc: Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Xin LI List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2006 18:30:13 -0000 The following reply was made to PR ports/93204; it has been noted by GNATS. From: Xin LI To: Goyo Roth Cc: freebsd-gnats-submit@freebsd.org, liukang@cn.freebsd.org, delphij@delphij.net Subject: Re: ports/93204: phpBB anti-DOS patch disallows visual authentication Date: Thu, 16 Feb 2006 02:28:39 +0800 > -----Original Message----- > From: sadangel@pow2clk.net [mailto:sadangel@pow2clk.net] > Sent: Tuesday, February 14, 2006 4:27 AM > To: delphij@delphij.net > Cc: Goyo Roth; freebsd-gnats-submit@freebsd.org; > liukang@cn.freebsd.org > Subject: Re: ports/93204: phpBB anti-DOS patch disallows > visual authentication > > The visual authentication is an image generated of a > seemingly random set > of numbers and letters by includes/usercp_confirm.php. It is > enabled in > the administrator's panel under "configuration" as I described in the > original report. One person's design decision is another > person's bug, but The "design" itself is, IMHO, apparantly yet another security vulnerability. The PRNG usage in usercp_register.php is flawed where the random seed is initialized in a bad manner, moreover, it opens another vulnerablility which permits flooding to the CONFIRM_TABLE, from my first observations. > the fact is that this implementation depends on anonymous users having > their own session IDs that match the contents of the database > at a few key > points. When the patch I refer to is removed, visual > authentication works > fine. I am strongly against removing the patch you have mentioned, however, I would let the maintainer and the security officer to make a decision. I think this is nothing more than chown'ing everything to 777 and setuid them to get things "work". phpBB 2.0.x series has a colourful history on security aspect, so I do not see much point to "fix" this terribly wrongly designed "feature". A potential compromise would be to make the patch optional, so the administrator can choose whether to apply it or not. This can be implemented within half dozens of Makefile changes, along with renaming the patch to another name so it would not be picked up by bsd.port.mk automatically. Since this downgrades the security of the port, we may have to get approval from the security team. Cheers, -- Xin LI http://www.delphij.net