Bug 93204

Summary: phpBB anti-DOS patch disallows visual authentication
Product: Ports & Packages Reporter: Goyo Roth <sadangel>
Component: Individual Port(s)Assignee: Xin LI <delphij>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch-phpbb none

Description Goyo Roth 2006-02-11 22:10:03 UTC 
I've discovered that the phpBB port as patched by patch-includes-sessions.php disallows the creation of sessions for users who are not logged in. This plugs the  DOS attack hole explained here: http://www.securityfocus.com/archive/1/360931. However, it also disallows the use of the visual authentication by user entering of random letters and numbers in distorted visual form. The current session ID is used to generate this image. The current session ID is accessed initially in register.php, in includes/usercp_confirm.php, and again in register.php when the response is submitted. If the anonymous user is not allowed to create a persistant session, each access requires the generation of a new session ID, none of which match so the image is not correctly generated, and, even if it were, it would not be validated. Ironically, it seems that the unavailability of this feature allows for another DOS attack in creation of new users automatically or by creation of new messages requesti
 ng registration if administrator authentication is enabled.

The vulnerability this patch was meant to plug was reported in 2004, has phpBB really not plugged this hole by other means since then? If so, I haven't been able to find it in the code. I'm still looking.

Fix: 

The simplest is to do away with the patch-includes-sessions.php patch. That solves it at the expense of potentially opening up the session id DOS attack vulnerability. Better solutions are probably possible such as limiting the number of anonymous sessions per IP. These would require more significant changes.
How-To-Repeat: 1. Install the www/phpbb port.
2. Perform default install operations using WEBROOT/install/install.php page.
3. In the Administration panel, under General Admin and Configuration, set "enable visual confirmation" to yes.
4. Attempt to register a new user.

The result is a request to verify the contents of a non-existant image. If the session ID is hard-coded into the image-generating file, the test of the users input still fails when the session ID changes yet again upon submission.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2006-02-12 07:55:36 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback
Comment 2 Xin LI 2006-02-12 08:55:47 UTC 
Hi, Goyo,

On 2/12/06, Goyo Roth <sadangel@pow2clk.net> wrote:
> >Synopsis:       phpBB anti-DOS patch disallows visual authentication

Which "visual authentication" method are you using?  AFAIK phpBB does
not have built-in visual authentication methods available.  Where did
you inserted the authentication?  This sounds like a bug in the visual
authentication module at a first glance...

Cheers,
--
Xin LI <delphij@delphij.net> http://www.delphij.net
Comment 3 Xin LI 2006-02-15 18:28:39 UTC 
> -----Original Message-----
> From: sadangel@pow2clk.net [mailto:sadangel@pow2clk.net]
> Sent: Tuesday, February 14, 2006 4:27 AM
> To: delphij@delphij.net
> Cc: Goyo Roth; freebsd-gnats-submit@freebsd.org;
> liukang@cn.freebsd.org
> Subject: Re: ports/93204: phpBB anti-DOS patch disallows
> visual authentication
>
> The visual authentication is an image generated of a
> seemingly random set
> of numbers and letters by includes/usercp_confirm.php. It is
> enabled in
> the administrator's panel under "configuration" as I described in the
> original report. One person's design decision is another
> person's bug, but

The "design" itself is, IMHO, apparantly yet another security
vulnerability.  The PRNG usage in usercp_register.php is flawed where
the random seed is initialized in a bad manner, moreover, it opens
another vulnerablility which permits flooding to the CONFIRM_TABLE,
from my first observations.

> the fact is that this implementation depends on anonymous users having
> their own session IDs that match the contents of the database
> at a few key
> points. When the patch I refer to is removed, visual
> authentication works
> fine.

I am strongly against removing the patch you have mentioned, however,
I would let the maintainer and the security officer to make a
decision.

I think this is nothing more than chown'ing everything to 777 and
setuid them to get things "work".  phpBB 2.0.x series has a colourful
history on security aspect, so I do not see much point to "fix" this
terribly wrongly designed "feature".

A potential compromise would be to make the patch optional, so the
administrator can choose whether to apply it or not.  This can be
implemented within half dozens of Makefile changes, along with
renaming the patch to another name so it would not be picked up by
bsd.port.mk automatically.  Since this downgrades the security of the
port, we may have to get approval from the security team.

Cheers,
--
Xin LI <delphij@delphij.net> http://www.delphij.net
Comment 4 Xin LI freebsd_committer freebsd_triage 2006-05-05 00:00:06 UTC 
Here is a patch that conditionally removes the anti-DoS patch.
Maintainer, do you approve or disapprove the patch?

Please note that the option is intentionally undocumented because
this option makes the user into a risk and should be generally
discouraged.

Cheers,
Comment 5 Xin LI freebsd_committer freebsd_triage 2006-05-05 00:06:47 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->delphij

Take.  Awaiting maintainer's response, who is in a trip right now.
Comment 6 Kang Liu 2006-05-06 05:48:15 UTC 
I'd like to approve this patch; but I think we'd better change
WITHOUT_ANTIDOS_PATCH to WITHOUT_ANTI_SESSIONTAB_DOS_PATCH or something
similar.

Kang
Comment 7 Xin LI freebsd_committer freebsd_triage 2006-05-06 05:55:58 UTC 
State Changed
From-To: feedback->open

feedback received.
Comment 8 Xin LI freebsd_committer freebsd_triage 2006-05-07 18:31:40 UTC 
State Changed
From-To: open->closed

A patch applied to make the anti-DoS patch optional.  Please note 
that we still strongly discourage of this functionality, but giving 
the user the choose is always good.