The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Is this hack safe?
Hi,
I'm new to this so take it easy everyone Most of my users come from behind a proxy. In order to record the right IP when they register I did the following with register.php (vB 2.2.5, I won't upgrade until 2.3.0 becomes stable ). Line 450 is the one that actually inserts a new user into the DB. It says: Code:
$DB_site->query("INSERT INTO user (userid,username,password,email,".$newstylefield."parentemail,coppauser,homepage,icq,ai$ Code:
$ipaddress=iif(getenv("REMOTE_ADDR")!="",getenv("REMOTE_ADDR"),$HTTP_HOST); $ipaddress=iif(getenv("HTTP_X_FORWARDED_FOR")!="",getenv("HTTP_X_FORWARDED_FOR"),$ipaddress); My question is, will this affect $ipaddress somewhere else? Are the two lines safe and will cause a security problem? Thanks. Take care, R.L. |
#2
|
|||
|
|||
Hmmm, is my question that difficult? Or is it very stupid?
|
#3
|
|||
|
|||
Someone could just add the x_forwarded header to the output of his browser, and so fake his ip. You should also record the real ip.
Also someone using multiple chained proxies that set x_forwarded wouldn't have his/her real IP recorded. |
#4
|
|||
|
|||
Well, most of my users are IT-challenged , so I don't think they can do such tricks. Secondly, I can't do what you suggested because I don't get in trouble once I decide to upgrade to 2.3.0
Thanks for the comment, but you didn't say whether there is any bad side-effect for the the two lines up there. Take care, R.L. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|