I've discovered that the phpBB port as patched by patch-includes-sessions.php disallows the creation of sessions for users who are not logged in. This plugs the DOS attack hole explained here: http://www.securityfocus.com/archive/1/360931. However, it also disallows the use of the visual authentication by user entering of random letters and numbers in distorted visual form. The current session ID is used to generate this image. The current session ID is accessed initially in register.php, in includes/usercp_confirm.php, and again in register.php when the response is submitted. If the anonymous user is not allowed to create a persistant session, each access requires the generation of a new session ID, none of which match so the image is not correctly generated, and, even if it were, it would not be validated. Ironically, it seems that the unavailability of this feature allows for another DOS attack in creation of new users automatically or by creation of new messages requesti ng registration if administrator authentication is enabled. The vulnerability this patch was meant to plug was reported in 2004, has phpBB really not plugged this hole by other means since then? If so, I haven't been able to find it in the code. I'm still looking. Fix: The simplest is to do away with the patch-includes-sessions.php patch. That solves it at the expense of potentially opening up the session id DOS attack vulnerability. Better solutions are probably possible such as limiting the number of anonymous sessions per IP. These would require more significant changes. How-To-Repeat: 1. Install the www/phpbb port. 2. Perform default install operations using WEBROOT/install/install.php page. 3. In the Administration panel, under General Admin and Configuration, set "enable visual confirmation" to yes. 4. Attempt to register a new user. The result is a request to verify the contents of a non-existant image. If the session ID is hard-coded into the image-generating file, the test of the users input still fails when the session ID changes yet again upon submission.
State Changed From-To: open->feedback Awaiting maintainers feedback
Hi, Goyo, On 2/12/06, Goyo Roth <sadangel@pow2clk.net> wrote: > >Synopsis: phpBB anti-DOS patch disallows visual authentication Which "visual authentication" method are you using? AFAIK phpBB does not have built-in visual authentication methods available. Where did you inserted the authentication? This sounds like a bug in the visual authentication module at a first glance... Cheers, -- Xin LI <delphij@delphij.net> http://www.delphij.net
> -----Original Message----- > From: sadangel@pow2clk.net [mailto:sadangel@pow2clk.net] > Sent: Tuesday, February 14, 2006 4:27 AM > To: delphij@delphij.net > Cc: Goyo Roth; freebsd-gnats-submit@freebsd.org; > liukang@cn.freebsd.org > Subject: Re: ports/93204: phpBB anti-DOS patch disallows > visual authentication > > The visual authentication is an image generated of a > seemingly random set > of numbers and letters by includes/usercp_confirm.php. It is > enabled in > the administrator's panel under "configuration" as I described in the > original report. One person's design decision is another > person's bug, but The "design" itself is, IMHO, apparantly yet another security vulnerability. The PRNG usage in usercp_register.php is flawed where the random seed is initialized in a bad manner, moreover, it opens another vulnerablility which permits flooding to the CONFIRM_TABLE, from my first observations. > the fact is that this implementation depends on anonymous users having > their own session IDs that match the contents of the database > at a few key > points. When the patch I refer to is removed, visual > authentication works > fine. I am strongly against removing the patch you have mentioned, however, I would let the maintainer and the security officer to make a decision. I think this is nothing more than chown'ing everything to 777 and setuid them to get things "work". phpBB 2.0.x series has a colourful history on security aspect, so I do not see much point to "fix" this terribly wrongly designed "feature". A potential compromise would be to make the patch optional, so the administrator can choose whether to apply it or not. This can be implemented within half dozens of Makefile changes, along with renaming the patch to another name so it would not be picked up by bsd.port.mk automatically. Since this downgrades the security of the port, we may have to get approval from the security team. Cheers, -- Xin LI <delphij@delphij.net> http://www.delphij.net
Here is a patch that conditionally removes the anti-DoS patch. Maintainer, do you approve or disapprove the patch? Please note that the option is intentionally undocumented because this option makes the user into a risk and should be generally discouraged. Cheers,
Responsible Changed From-To: freebsd-ports-bugs->delphij Take. Awaiting maintainer's response, who is in a trip right now.
I'd like to approve this patch; but I think we'd better change WITHOUT_ANTIDOS_PATCH to WITHOUT_ANTI_SESSIONTAB_DOS_PATCH or something similar. Kang
State Changed From-To: feedback->open feedback received.
State Changed From-To: open->closed A patch applied to make the anti-DoS patch optional. Please note that we still strongly discourage of this functionality, but giving the user the choose is always good.