#5842: getClientIP() possiblly return false IP address
-------------------------------------+--------------------------------------
Reporter: sdozono | Owner:
Type: RFC | Status: new
Priority: High | Milestone: 1.2.x.x
Component: General | Version: RC3
Severity: Normal | Resolution:
Keywords: HTTP_X_FORWARDED_FOR | Php_version: n/a
Cake_version: |
-------------------------------------+--------------------------------------
Comment (by sdozono):
Sorry, I should have explained more cleary and what we want... So far,
CakePHP's getClientIP() "always" trust the value of "HTTP_X_FORWARDED_FOR"
FIRST. But this is the value that anybody can change and fake up at their
proxy servers. The correct usage of the "HTTP_X_FORWARDED_FOR" is to
determine the data is certainly through "YOUR pre-configured" proxy
servers (not for ANONYMOUS proxy servers that might have fake IP
addresses.) inside your local network. So we have two options. 1) Get rid
of the "HTTP_X_FORWARDED_FOR" check. 2) Make an option argument array for
getClientIP($trusted_proxy_addresses=array()) and checks really the value
is from "pre-configured proxy servers".
Thank you for your consideration in advance.
Quote1:
Reverse proxy middleware
Important note: This does NOT validate HTTP_X_FORWARDED_FOR. If you’re not
behind a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do
not use this middleware. Anybody can spoof the value of
HTTP_X_FORWARDED_FOR, and because this sets REMOTE_ADDR based on
HTTP_X_FORWARDED_FOR, that means anybody can “fake” their IP address. Only
use this when you can absolutely trust the value of HTTP_X_FORWARDED_FOR.
(Django| http://docs.djangoproject.com/en/dev/ref/middleware/)
Quote2:
http://osvdb.org/show/osvdb/20508
20508 : PunBB HTTP_X_FORWARDED_FOR IP Spoofing
PunBB 1.2.9, used alone or with F-ART BLOG:CMS, may trust a client's IP
address as specified in the X-Forwarded-For HTTP header rather than the
TCP/IP stack, which allows remote attackers to misrepresent their IP
address by sending a modified header.
Quote3:
SecuriTeam
SMF IP Spoofing and Ban Evasion
http://www.securiteam.com/unixfocus/5YP0315IUO.html
Simple Machines Forum - SMF in short - is a free, professional grade
software package that allows you to set up your own online community
within minutes. The IP detection section of SMF's code allows for someone
to spoof the X-Forwarded-For header. SMF trusts this value over the IP
address reported in general.
This allows an attacker to login and post using IP's that are not theirs,
making it impossible for the Administrator of the SMF forum to ban the
user.
Quote4:
Ruby on Rails
"IP spoofing attack" breaks with some proxies
http://rails.lighthouseapp.com/projects/8994/tickets/1200-ip-spoofing-
attack-breaks-with-some-mobile-phones
Quote5:
Topic: [Script] Get Visitors Real IP (MOSTLY Spoof-Proof)
http://www.110mb.com/forum/script-get-visitors-real-ip-mostly-
spoofproof-t33181.0.html
--
Ticket URL: <https://trac.cakephp.org/ticket/5842#comment:3>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
