Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-04-2003, 11:30 AM
Randomlove Randomlove is offline
 
Join Date: Sep 2002
Location: X
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Is this hack safe?

Hi,
I'm new to this so take it easy everyone

Most of my users come from behind a proxy. In order to record the right IP when they register I did the following with register.php (vB 2.2.5, I won't upgrade until 2.3.0 becomes stable ).

Line 450 is the one that actually inserts a new user into the DB. It says:
Code:
  $DB_site->query("INSERT INTO user (userid,username,password,email,".$newstylefield."parentemail,coppauser,homepage,icq,ai$
I did this BEFORE that line:

Code:
  $ipaddress=iif(getenv("REMOTE_ADDR")!="",getenv("REMOTE_ADDR"),$HTTP_HOST);
  $ipaddress=iif(getenv("HTTP_X_FORWARDED_FOR")!="",getenv("HTTP_X_FORWARDED_FOR"),$ipaddress);
First line will record the regular IP, the second checks if there is a fowarded IP. REMOTE_ADDR might hold the proxy IP not the real IP.

My question is, will this affect $ipaddress somewhere else? Are the two lines safe and will cause a security problem?

Thanks.
Take care,

R.L.
Reply With Quote
  #2  
Old 03-04-2003, 05:55 PM
Randomlove Randomlove is offline
 
Join Date: Sep 2002
Location: X
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hmmm, is my question that difficult? Or is it very stupid?
Reply With Quote
  #3  
Old 03-04-2003, 06:04 PM
Issvar Issvar is offline
 
Join Date: Mar 2002
Posts: 68
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Someone could just add the x_forwarded header to the output of his browser, and so fake his ip. You should also record the real ip.

Also someone using multiple chained proxies that set x_forwarded wouldn't have his/her real IP recorded.
Reply With Quote
  #4  
Old 03-04-2003, 06:13 PM
Randomlove Randomlove is offline
 
Join Date: Sep 2002
Location: X
Posts: 21
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, most of my users are IT-challenged , so I don't think they can do such tricks. Secondly, I can't do what you suggested because I don't get in trouble once I decide to upgrade to 2.3.0

Thanks for the comment, but you didn't say whether there is any bad side-effect for the the two lines up there.

Take care,
R.L.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:43 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.09578 seconds
  • Memory Usage 2,186KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (4)post_thanks_box
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (4)post_thanks_postbit_info
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete