#5842: getClientIP() possiblly return false IP address
-------------------------------------+--------------------------------------
Reporter: sdozono | Type: Security Exploit
Status: new | Priority: High
Milestone: 1.2.x.x | Component: General
Version: RC3 | Severity: Normal
Keywords: HTTP_X_FORWARDED_FOR | Php_version: n/a
Cake_version: |
-------------------------------------+--------------------------------------
RequestHandlerComponent::getClientIP() checks the value of
env('HTTP_X_FORWARDED_FOR') first, and if there is a value, this function
return as a client's IP address. Though, in some cases, we can't trust
this HTTP_X_FORWARDED_FOR. (http://en.wikipedia.org/wiki/X-Forwarded-For,
"You should NOT trust all X-Forwarded-For information in this scenario as
you may have received bogus information from the Internet.") If the
CakePHP sites uses this getClientIP() for an auth control, there might be
a security problem.
--
Ticket URL: <https://trac.cakephp.org/ticket/5842>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
