[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
- From: Shaun Colley <shaunige@xxxxxxxxxxx>
- Date: Mon, 19 Apr 2004 21:05:18 +0100 (BST)
--- Ready Response <wang@xxxxxxxxxxx> wrote: >
>
>
>
#####################################################################
>
> Advisory Name : phpBB 2.0.8a and lower - IP spoofing
> vulnerability
> Release Date : Apr 18, 2004
> Application : phpBB
> Version : phpBB 2.0.8a and previous versions
> Platform : PHP
> Vendor URL : http://www.phpbb.com/
> Author : Wang / SRR Project Group of Ready Response
> (srr@xxxxxxxxxxxxxxxxx)
>
Good work guys ;)
I have put together a patch using the quick-fix Wang &
SRR Project Group suggested, which I hope will make
your job easier when fixing this issue in your board.
Here's the patch file:
---
--- common.orig.php 2003-07-20 11:42:24.000000000
-0400
+++ common.php 2004-04-19 15:45:52.038688056 -0400
@@ -126,32 +126,19 @@
//
// Obtain and encode users IP
//
-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
-{
- $client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-
- $entries = explode(',',
getenv('HTTP_X_FORWARDED_FOR'));
- reset($entries);
- while (list(, $entry) = each($entries))
- {
- $entry = trim($entry);
- if (
preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/",
$entry, $ip_list) )
- {
- $private_ip = array('/^0\./', '/^127\.0\.0\.1/',
'/^192\.168\..*/',
'/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
'/^10\..*/', '/^224\..*/', '/^240\..*/');
- $found_ip = preg_replace($private_ip, $client_ip,
$ip_list[1]);
-
- if ($client_ip != $found_ip)
- {
- $client_ip = $found_ip;
- break;
- }
- }
- }
-}
-else
-{
+// -=-=-=-
+// I have removed the offending code which attempted
to assume a user's IP
+// address based on the contents of the
X-Forwarded-For HTTP header, if one
+// existed. I could've commented the code out,
instead of simply removing it,
+// but that would make this patch bigger than
necessary.
+// This quick workaround will do for now, until phpBB
release a security
+// update.
+//
+// -shaun2k2
+// http://www.nettwerked.co.uk
+// -=-=-=-
+//
$client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-}
$user_ip = encode_ip($client_ip);
//
@@ -184,4 +171,4 @@
message_die(GENERAL_MESSAGE, 'Board_disable',
'Information');
}
-?>
\ No newline at end of file
+?>
---
If my mail client obfuscates the patch, the patch is
available here:
<http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch>.
The patch applies cleanly to phpBB2 2.0.8, 2.0.8a and
perhaps earlier versions.
Hope this helps is some way.
Thank you for your time.
Shaun.
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html