Bug 66150

Summary: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
Product: Ports & Packages Reporter: Jason Li <delphij>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: liukang
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch-phpbb none

Description Jason Li 2004-05-01 18:20:17 UTC 
	There is an IP spoofing vulnerablity exists in phpBB (up to and
including the latest 2.0.8a) as described here:

	http://www.vuxml.org/freebsd/cfe17ca6-6858-4805-ba1d-a60a61ec9b4d.html

	The attached patch pulled fixes obtained from phpBB's CVS repository.

	This is a good candidate for upcoming 4.10-RELEASE's ports collection.
If it is considered to be appropriate, please slip the tag as well.

Fix: Apply the attached patch against the ports tree:
Comment 1 Jason Li 2004-05-01 18:57:16 UTC 
Also, I hope the attached patch, which mitigates session table exhaustion
which could be used in a DDoS attack after the above patch to get its
way into phpbb/files so it will be automatically patched.

I suggest to add the following item to be added into vuxml:

  <vuln vid=(A newly generated UUID?)>
    <topic>phpBB ession table exhaustion</topic>
    <affects>
      <package>
	<name>phpbb</name>
	<range><le>2.0.8_2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The includes/sessions.php unnecessarily adds session item into
	session table and therefore vulnerable to a DDoS attacK.</p>
	</body>
    </description>
    <references>
	<url>http://www.securityfocus.com/archive/1/360931</url>
      <!--
	<mlist msgid="20040421011055.GA1448@frontfree.net">
	  http://www.securityfocus.com/archive/1/360931
	</mlist>
      -->
    </references>
    <dates>
      <discovery>2004-03-05</discovery>
      <entry>2004-05-01</entry>
    </dates>
  </vuln>

-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.
Comment 2 Jason Li 2004-05-01 19:10:52 UTC 
Oops, forgot the attachment, it should be:

Index: includes/sessions.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/Attic/sessions.php,v
retrieving revision 1.58.2.10
diff -u -r1.58.2.10 sessions.php
--- includes/sessions.php	5 Apr 2003 12:04:33 -0000	1.58.2.10
+++ includes/sessions.php	17 Apr 2004 07:48:20 -0000
@@ -147,7 +147,7 @@
 		$sql = "INSERT INTO " . SESSIONS_TABLE . "
 			(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
 			VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
-		if ( !$db->sql_query($sql) )
+		if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
 		{
 			message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
 		}
@@ -380,4 +380,4 @@
 	return $url;
 }
 
-?>
\ No newline at end of file
+?>


-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.
Comment 3 Pav Lucistnik freebsd_committer freebsd_triage 2004-05-06 11:07:16 UTC 
State Changed
From-To: open->closed

Committed, thanks!