[Secure-testing-team] Bug#570011: phpbb3: weak captcha attracts spambots

J.M.Roth jmroth+debbug at iip.lu
Mon Feb 15 20:37:11 UTC 2010 

Package: phpbb3
Version: 3.0.2-4
Severity: important
Tags: security patch

I had only recently upgraded to phpbb3 when spambots started arriving.

The (default) captcha is very weak.
The GD captcha crack celebrates its first anniversary these days.

In the supplied database scheme, the user_registration setting is even 0 which means "no activation necessary". tststs ;-)

I provide a patch for that, and I also provide a patch that modifies the default GD captcha settings "GD CAPTCHA background noise {x,y}-axis", and foremost the patch also activates the GD captcha. One would have to make the php*-gd packages a dependency though (currently: recommendation). The webserver would also need to be reloaded on upgrade, although I believe it doesn't even get reloaded on install.

Anyway, all of that still is no real solution. I'll be looking for a better captcha to integrate.

Unfortunately also "possibility to force user posts put in queue if post count is lower than an admin defined value" is only in v3.0.3 and higher.

v3.0.6 has a completely new API for captchas, which longer necessarily are images with certain strings in them.
Not sure if it would be worth backporting that and how much work that would be...

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages phpbb3 depends on:
ii  apache2            2.2.9-10+lenny6       Apache HTTP Server metapackage
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  dbconfig-common    1.8.39                common framework for packaging dat
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  mysql-client       5.0.51a-24+lenny3     MySQL database client (metapackage
ii  mysql-client-5.0 [ 5.0.51a-24+lenny3     MySQL database client binaries
ii  php5               5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  php5-cgi           5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5

Versions of packages phpbb3 recommends:
ii  php5-gd            5.2.6.dfsg.1-1+lenny4 GD module for php5
pn  php5-imagick | php <none>                (no description available)
ii  postfix [mail-tran 2.5.5-1.1             High-performance mail transport ag

Versions of packages phpbb3 suggests:
ii  mysql-server           5.0.51a-24+lenny3 MySQL database server (metapackage
ii  mysql-server-5.0 [mysq 5.0.51a-24+lenny3 MySQL database server binaries

-- debconf information:
  phpbb3/mysql/app-pass: (password omitted)
  phpbb3/app-password-confirm: (password omitted)
  phpbb3/password-confirm: (password omitted)
  phpbb3/pgsql/admin-pass: (password omitted)
  phpbb3/mysql/admin-pass: (password omitted)
  phpbb3/pgsql/app-pass: (password omitted)
  phpbb3/db/basepath:
  phpbb3/db/app-user:
  phpbb3/dbconfig-reinstall: false
  phpbb3/db/dbname:
  phpbb3/install-error: abort
  phpbb3/upgrade-backup: true
* phpbb3/dbconfig-install: false
  phpbb3/mysql/method: unix socket
  phpbb3/remote/newhost:
  phpbb3/pgsql/manualconf:
  phpbb3/dbconfig-remove:
  phpbb3/internal/reconfiguring: false
  phpbb3/pgsql/authmethod-user:
  phpbb3/upgrade-error: abort
  phpbb3/pgsql/authmethod-admin: ident
  phpbb3/pgsql/method: unix socket
  phpbb3/database-type:
  phpbb3/mysql/admin-user: root
  phpbb3/remote/host:
* phpbb3/httpd: apache2
  phpbb3/remove-error: abort
  phpbb3/dbconfig-upgrade: true
  phpbb3/purge: false
  phpbb3/missing-db-package-error: abort
  phpbb3/pgsql/changeconf: false
  phpbb3/internal/skip-preseed: true
  phpbb3/pgsql/admin-user: postgres
  phpbb3/remote/port:
  phpbb3/pgsql/no-empty-passwords:
  phpbb3/passwords-do-not-match:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: security.diff
Type: text/x-diff
Size: 7820 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100215/7e5b2e85/attachment-0001.diff>

More information about the Secure-testing-team mailing list