+ Antworten
Ergebnis 1 bis 2 von 2

Thema: Offending IP Restrictions

  1. #1
    Neuer Benutzer
    Registriert seit
    05.07.2013
    Beiträge
    1

    Offending IP Restrictions

    File: Database.php
    PHP-Code:
            // determine correct IP address and concat them if necessary
            
    $this->ip  $_SERVER['REMOTE_ADDR'];
            
    $this->ip2 = isset($_SERVER['HTTP_X_FORWARDED_FOR'])? $_SERVER['HTTP_X_FORWARDED_FOR'] : ''
    I suggest this gets some attention especially if the collected remote IP address is used to permanently ban, restrict access, or redirect a browser based on an offending IP address. Which is how this is custom implemented on many distributed web application packages and the way some users implement it.

    Issues:
    1/ On 'cluster' type server configurations, REMOTE_ADDR can often be (as is the case with rackspace when https is on) the upline load balancing proxy rather than the remote clients ip. So one could get into strife by for example, restricting access which could result in a complete DoS of the site to all users because the upline proxy IP was mistakenly restricted/redirected.
    2/ Again on cluster type and some cloud configurations, like Cloudfare for example, they have their own header HTTP_CF_CONNECTING_IP which is the remote IP, and REMOTE_ADDR is again an upline proxy.
    3/ HTTP_X_FORWARDED_FOR can often be a string of ip addresses rather than a single IP where sometimes the first IP is the remote client and in other configurations its the reversal of this.
    4/ HTTP_X_FORWARDED_FOR like many other IP headers can be spoofed therefore there needs to be a boolean IP address check function as well before committing any content from that header into a database.

    Here is one I use ( backward compat with earlier versions of PHP ):

    PHP-Code:
        function check_ip$ip ) {
            
    # simple ip format check
            
    if ( function_exists'filter_var' )
                      && 
    defined'FILTER_VALIDATE_IP' )
                      && 
    defined'FILTER_FLAG_IPV4' )
                      && 
    defined'FILTER_FLAG_IPV6' ) ) {
                      if ( 
    false === filter_var$ipFILTER_VALIDATE_IP,
                                                      
    FILTER_FLAG_IPV4 ||
                                                      
    FILTER_FLAG_IPV6 ) ) {
                          return 
    false;
                      } else return 
    true;
            }
            if ( 
    preg_match'/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/'$ip ) ) {
                
    $parts explode'.'$ip );
                foreach ( 
    $parts as $ip_parts ) {
                     if ( ! 
    is_numeric$ip_parts ) ||
                        ( ( int )( 
    $ip_parts ) > 255 ) ||
                        ( ( int )( 
    $ip_parts ) < ) ) {
                        return 
    false;
                    }
                }
                return 
    true;
            } else return 
    false;
        } 
    5/ if IP restriction also includes restricting access to IPs collected from HTTP_X_FORWARDED_FOR, it could be then possible in some server configurations for an attacker to include any IP they wish in the HTTP_X_FORWARDED_FOR using a banned request query string to trigger the restriction.

    Example:
    Code:
    GET /index.php?id=-1+union+select+from+where HTTP/1.1
    Host: www.somesite.local
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24
    Accept: */*
    X-FORWARDED-FOR: 127.0.0.1
    Hope that helps,

    Taipo

  2. #2
    Neuer Benutzer
    Registriert seit
    07.07.2014
    Beiträge
    3
    inbox please i have some questions .

+ Antworten

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein