NukeCops - phpBB 2.0.8a IP Spoofing Vulnerability

In the vulnerability release here, Wang states that IPs can be spoofed and thereby hijacked when HTTP_FORWARDED_FOR is logging IP addresses. His suggestion is to take out the recording on this environment variable. Even though in theory this may be true, in practice it is a goose chase.

True anonymous remote proxy servers will not pass on HTTP_FORWARDED_FOR information, and will instead pass on REMOTE_ADDR. This means that the REMOTE_ADDR can then be spoofed. Per Wang's suggestion, the REMOTE_ADDR would need to be removed from being logged. So then, no IP gets logged into the sessions table?

Unless more detailed information can be provided, it is my personal opinion this is a wild goose chase. However, if you feel you need to implement his approach, please feel free. I only suggest that you read about TCP/IP and understand that remote proxy servers that act under true anonymity will still use REMOTE_ADDR and not HTTP_FORWARDED_FOR -- which then makes the fundamental REMOTE_ADDR supposedly spoofable.