From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Feb 11 22:10:05 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E99D16A422 for ; Sat, 11 Feb 2006 22:10:05 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 315A043D49 for ; Sat, 11 Feb 2006 22:10:04 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1BMA4cI014484 for ; Sat, 11 Feb 2006 22:10:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1BMA32k014482; Sat, 11 Feb 2006 22:10:03 GMT (envelope-from gnats) Resent-Date: Sat, 11 Feb 2006 22:10:03 GMT Resent-Message-Id: <200602112210.k1BMA32k014482@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Goyo Roth Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9249816A420 for ; Sat, 11 Feb 2006 22:05:35 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EFDB43D46 for ; Sat, 11 Feb 2006 22:05:35 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k1BM5ZHp028176 for ; Sat, 11 Feb 2006 22:05:35 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k1BM5Zu0028175; Sat, 11 Feb 2006 22:05:35 GMT (envelope-from nobody) Message-Id: <200602112205.k1BM5Zu0028175@www.freebsd.org> Date: Sat, 11 Feb 2006 22:05:35 GMT From: Goyo Roth To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: ports/93204: phpBB anti-DOS patch disallows visual authentication X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Feb 2006 22:10:05 -0000 >Number: 93204 >Category: ports >Synopsis: phpBB anti-DOS patch disallows visual authentication >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 11 22:10:03 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Goyo Roth >Release: 6.0-STABLE >Organization: University of Utah >Environment: FreeBSD legion.cavern 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 >Description: I've discovered that the phpBB port as patched by patch-includes-sessions.php disallows the creation of sessions for users who are not logged in. This plugs the DOS attack hole explained here: http://www.securityfocus.com/archive/1/360931. However, it also disallows the use of the visual authentication by user entering of random letters and numbers in distorted visual form. The current session ID is used to generate this image. The current session ID is accessed initially in register.php, in includes/usercp_confirm.php, and again in register.php when the response is submitted. If the anonymous user is not allowed to create a persistant session, each access requires the generation of a new session ID, none of which match so the image is not correctly generated, and, even if it were, it would not be validated. Ironically, it seems that the unavailability of this feature allows for another DOS attack in creation of new users automatically or by creation of new messages requesti ng registration if administrator authentication is enabled. The vulnerability this patch was meant to plug was reported in 2004, has phpBB really not plugged this hole by other means since then? If so, I haven't been able to find it in the code. I'm still looking. >How-To-Repeat: 1. Install the www/phpbb port. 2. Perform default install operations using WEBROOT/install/install.php page. 3. In the Administration panel, under General Admin and Configuration, set "enable visual confirmation" to yes. 4. Attempt to register a new user. The result is a request to verify the contents of a non-existant image. If the session ID is hard-coded into the image-generating file, the test of the users input still fails when the session ID changes yet again upon submission. >Fix: The simplest is to do away with the patch-includes-sessions.php patch. That solves it at the expense of potentially opening up the session id DOS attack vulnerability. Better solutions are probably possible such as limiting the number of anonymous sessions per IP. These would require more significant changes. >Release-Note: >Audit-Trail: >Unformatted: