|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 139 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
phpBB 2.0.8a IP Spoofing Vulnerability |
|
 In the vulnerability release here, Wang states that IPs can be spoofed and thereby hijacked when HTTP_FORWARDED_FOR is logging IP addresses. His suggestion is to take out the recording on this environment variable. Even though in theory this may be true, in practice it is a goose chase.
True anonymous remote proxy servers will not pass on HTTP_FORWARDED_FOR information, and will instead pass on REMOTE_ADDR. This means that the REMOTE_ADDR can then be spoofed. Per Wang's suggestion, the REMOTE_ADDR would need to be removed from being logged. So then, no IP gets logged into the sessions table?
Unless more detailed information can be provided, it is my personal opinion this is a wild goose chase. However, if you feel you need to implement his approach, please feel free. I only suggest that you read about TCP/IP and understand that remote proxy servers that act under true anonymity will still use REMOTE_ADDR and not HTTP_FORWARDED_FOR -- which then makes the fundamental REMOTE_ADDR supposedly spoofable.
|
|
Posted on Wednesday, April 21 @ 18:04:38 CEST by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 3.66
Votes: 6
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | | |
