[Secure-testing-team] Bug#570011: phpbb3: weak captcha attracts spambots
J.M.Roth
jmroth+debbug at iip.lu
Mon Feb 15 20:37:11 UTC 2010
Package: phpbb3
Version: 3.0.2-4
Severity: important
Tags: security patch
I had only recently upgraded to phpbb3 when spambots started arriving.
The (default) captcha is very weak.
The GD captcha crack celebrates its first anniversary these days.
In the supplied database scheme, the user_registration setting is even 0 which means "no activation necessary". tststs ;-)
I provide a patch for that, and I also provide a patch that modifies the default GD captcha settings "GD CAPTCHA background noise {x,y}-axis", and foremost the patch also activates the GD captcha. One would have to make the php*-gd packages a dependency though (currently: recommendation). The webserver would also need to be reloaded on upgrade, although I believe it doesn't even get reloaded on install.
Anyway, all of that still is no real solution. I'll be looking for a better captcha to integrate.
Unfortunately also "possibility to force user posts put in queue if post count is lower than an admin defined value" is only in v3.0.3 and higher.
v3.0.6 has a completely new API for captchas, which longer necessarily are images with certain strings in them.
Not sure if it would be worth backporting that and how much work that would be...
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages phpbb3 depends on:
ii apache2 2.2.9-10+lenny6 Apache HTTP Server metapackage
ii apache2-mpm-prefor 2.2.9-10+lenny6 Apache HTTP Server - traditional n
ii dbconfig-common 1.8.39 common framework for packaging dat
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii mysql-client 5.0.51a-24+lenny3 MySQL database client (metapackage
ii mysql-client-5.0 [ 5.0.51a-24+lenny3 MySQL database client binaries
ii php5 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii php5-mysql 5.2.6.dfsg.1-1+lenny4 MySQL module for php5
Versions of packages phpbb3 recommends:
ii php5-gd 5.2.6.dfsg.1-1+lenny4 GD module for php5
pn php5-imagick | php <none> (no description available)
ii postfix [mail-tran 2.5.5-1.1 High-performance mail transport ag
Versions of packages phpbb3 suggests:
ii mysql-server 5.0.51a-24+lenny3 MySQL database server (metapackage
ii mysql-server-5.0 [mysq 5.0.51a-24+lenny3 MySQL database server binaries
-- debconf information:
phpbb3/mysql/app-pass: (password omitted)
phpbb3/app-password-confirm: (password omitted)
phpbb3/password-confirm: (password omitted)
phpbb3/pgsql/admin-pass: (password omitted)
phpbb3/mysql/admin-pass: (password omitted)
phpbb3/pgsql/app-pass: (password omitted)
phpbb3/db/basepath:
phpbb3/db/app-user:
phpbb3/dbconfig-reinstall: false
phpbb3/db/dbname:
phpbb3/install-error: abort
phpbb3/upgrade-backup: true
* phpbb3/dbconfig-install: false
phpbb3/mysql/method: unix socket
phpbb3/remote/newhost:
phpbb3/pgsql/manualconf:
phpbb3/dbconfig-remove:
phpbb3/internal/reconfiguring: false
phpbb3/pgsql/authmethod-user:
phpbb3/upgrade-error: abort
phpbb3/pgsql/authmethod-admin: ident
phpbb3/pgsql/method: unix socket
phpbb3/database-type:
phpbb3/mysql/admin-user: root
phpbb3/remote/host:
* phpbb3/httpd: apache2
phpbb3/remove-error: abort
phpbb3/dbconfig-upgrade: true
phpbb3/purge: false
phpbb3/missing-db-package-error: abort
phpbb3/pgsql/changeconf: false
phpbb3/internal/skip-preseed: true
phpbb3/pgsql/admin-user: postgres
phpbb3/remote/port:
phpbb3/pgsql/no-empty-passwords:
phpbb3/passwords-do-not-match:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: security.diff
Type: text/x-diff
Size: 7820 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100215/7e5b2e85/attachment-0001.diff>
More information about the Secure-testing-team
mailing list