Bug#570011: phpbb3: weak captcha attracts spambots

J.M.Roth Mon, 15 Feb 2010 12:40:39 -0800

Package: phpbb3
Version: 3.0.2-4
Severity: important
Tags: security patch

I had only recently upgraded to phpbb3 when spambots started arriving.


The (default) captcha is very weak.
The GD captcha crack celebrates its first anniversary these days.

In the supplied database scheme, the user_registration setting is even 0 which 
means "no activation necessary". tststs ;-)

I provide a patch for that, and I also provide a patch that modifies the 
default GD captcha settings "GD CAPTCHA background noise {x,y}-axis", and 
foremost the patch also activates the GD captcha. One would have to make the 
php*-gd packages a dependency though (currently: recommendation). The webserver 
would also need to be reloaded on upgrade, although I believe it doesn't even 
get reloaded on install.

Anyway, all of that still is no real solution. I'll be looking for a better 
captcha to integrate.

Unfortunately also "possibility to force user posts put in queue if post count 
is lower than an admin defined value" is only in v3.0.3 and higher.

v3.0.6 has a completely new API for captchas, which longer necessarily are 
images with certain strings in them.
Not sure if it would be worth backporting that and how much work that would 
be...

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages phpbb3 depends on:
ii  apache2            2.2.9-10+lenny6       Apache HTTP Server metapackage
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  dbconfig-common    1.8.39                common framework for packaging dat
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  mysql-client       5.0.51a-24+lenny3     MySQL database client (metapackage
ii  mysql-client-5.0 [ 5.0.51a-24+lenny3     MySQL database client binaries
ii  php5               5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  php5-cgi           5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5

Versions of packages phpbb3 recommends:
ii  php5-gd            5.2.6.dfsg.1-1+lenny4 GD module for php5
pn  php5-imagick | php <none>                (no description available)
ii  postfix [mail-tran 2.5.5-1.1             High-performance mail transport ag

Versions of packages phpbb3 suggests:
ii  mysql-server           5.0.51a-24+lenny3 MySQL database server (metapackage
ii  mysql-server-5.0 [mysq 5.0.51a-24+lenny3 MySQL database server binaries

-- debconf information:
  phpbb3/mysql/app-pass: (password omitted)
  phpbb3/app-password-confirm: (password omitted)
  phpbb3/password-confirm: (password omitted)
  phpbb3/pgsql/admin-pass: (password omitted)
  phpbb3/mysql/admin-pass: (password omitted)
  phpbb3/pgsql/app-pass: (password omitted)
  phpbb3/db/basepath:
  phpbb3/db/app-user:
  phpbb3/dbconfig-reinstall: false
  phpbb3/db/dbname:
  phpbb3/install-error: abort
  phpbb3/upgrade-backup: true
* phpbb3/dbconfig-install: false
  phpbb3/mysql/method: unix socket
  phpbb3/remote/newhost:
  phpbb3/pgsql/manualconf:
  phpbb3/dbconfig-remove:
  phpbb3/internal/reconfiguring: false
  phpbb3/pgsql/authmethod-user:
  phpbb3/upgrade-error: abort
  phpbb3/pgsql/authmethod-admin: ident
  phpbb3/pgsql/method: unix socket
  phpbb3/database-type:
  phpbb3/mysql/admin-user: root
  phpbb3/remote/host:
* phpbb3/httpd: apache2
  phpbb3/remove-error: abort
  phpbb3/dbconfig-upgrade: true
  phpbb3/purge: false
  phpbb3/missing-db-package-error: abort
  phpbb3/pgsql/changeconf: false
  phpbb3/internal/skip-preseed: true
  phpbb3/pgsql/admin-user: postgres
  phpbb3/remote/port:
  phpbb3/pgsql/no-empty-passwords:
  phpbb3/passwords-do-not-match:

diff -ur deb/control deb.mod/control
--- deb/control	2010-02-15 21:23:54.000000000 +0100
+++ deb.mod/control	2010-02-15 21:26:45.000000000 +0100
@@ -3,8 +3,8 @@
 Architecture: all
 Maintainer: Jeroen van Wolffelaar <[email protected]>
 Installed-Size: 9968
-Depends: libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5 | libapache2-mod-php4 | libapache-mod-php4 | php4-cgi | php4, php5-mysql | php5-pgsql | php5-odbc | php5-sybase | php4-mysql | php4-pgsql | php4-odbc | php4-sybase, apache2 | httpd, debconf | debconf-2.0, dbconfig-common, mysql-client | postgresql-client | sqlite
-Recommends: exim4 | mail-transport-agent, php5-imagick | php4-imagick, php5-gd | php4-gd
+Depends: libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5 | libapache2-mod-php4 | libapache-mod-php4 | php4-cgi | php4, php5-mysql | php5-pgsql | php5-odbc | php5-sybase | php4-mysql | php4-pgsql | php4-odbc | php4-sybase, apache2 | httpd, debconf | debconf-2.0, dbconfig-common, mysql-client | postgresql-client | sqlite, php5-gd | php4-gd
+Recommends: exim4 | mail-transport-agent, php5-imagick | php4-imagick
 Suggests: mysql-server | postgresql
 Section: web
 Priority: optional
diff -ur deb/usr/share/dbconfig-common/data/phpbb3/install/mysql deb.mod/usr/share/dbconfig-common/data/phpbb3/install/mysql
--- deb/usr/share/dbconfig-common/data/phpbb3/install/mysql	2009-02-06 14:58:36.000000000 +0100
+++ deb.mod/usr/share/dbconfig-common/data/phpbb3/install/mysql	2010-02-15 21:28:15.000000000 +0100
@@ -1060,10 +1060,10 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_interval', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_type', 'd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cache_gc', '7200');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '5');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_attachment_content', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_dnsbl', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('chg_passforce', '0');
@@ -1184,7 +1184,7 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('print_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_interval', '600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ranks_path', 'images/ranks');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpbb');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_block_size', '250');
diff -ur deb/usr/share/dbconfig-common/data/phpbb3/install/pgsql deb.mod/usr/share/dbconfig-common/data/phpbb3/install/pgsql
--- deb/usr/share/dbconfig-common/data/phpbb3/install/pgsql	2009-02-06 14:58:36.000000000 +0100
+++ deb.mod/usr/share/dbconfig-common/data/phpbb3/install/pgsql	2010-02-15 21:28:36.000000000 +0100
@@ -1334,10 +1334,10 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_interval', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_type', 'd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cache_gc', '7200');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '5');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_attachment_content', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_dnsbl', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('chg_passforce', '0');
@@ -1458,7 +1458,7 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('print_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_interval', '600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ranks_path', 'images/ranks');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpbb');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_block_size', '250');
diff -ur deb/usr/share/dbconfig-common/data/phpbb3/install/sqlite deb.mod/usr/share/dbconfig-common/data/phpbb3/install/sqlite
--- deb/usr/share/dbconfig-common/data/phpbb3/install/sqlite	2009-02-06 14:58:36.000000000 +0100
+++ deb.mod/usr/share/dbconfig-common/data/phpbb3/install/sqlite	2010-02-15 21:28:53.000000000 +0100
@@ -1028,10 +1028,10 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_interval', '10');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('bump_type', 'd');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('cache_gc', '7200');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_foreground_noise', '0');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '25');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '25');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_x_grid', '10');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('captcha_gd_y_grid', '5');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_attachment_content', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('check_dnsbl', '0');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('chg_passforce', '0');
@@ -1152,7 +1152,7 @@
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('print_pm', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('queue_interval', '600');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('ranks_path', 'images/ranks');
-INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '0');
+INSERT INTO phpbb_config (config_name, config_value) VALUES ('require_activation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('referer_validation', '1');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('script_path', '/phpbb');
 INSERT INTO phpbb_config (config_name, config_value) VALUES ('search_block_size', '250');

Bug#570011: phpbb3: weak captcha attracts spambots

Reply via email to