SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Zealot
    Join Date
    Nov 2008
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security question: $_SERVER['REMOTE_ADDR']

    Can $_SERVER['REMOTE_ADDR'] be forged by a user? Would it be safe for me to bypass an authentication page if $_SERVER['REMOTE_ADDR'] = a certain IP that I know is good?

  2. #2
    SitePoint Zealot
    Join Date
    Apr 2009
    Location
    South Florida
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you should be good to go

    Code PHP:
    $_SERVER['REMOTE_ADDR']

    Is populated in server side, client cannot change those unless if you have PHP set to accept client post as global variables, usually this is turn off as a security measure

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I believe it would be ok because if they forge the ip address, any response your server generates will goto that ip address. And if this is your ip address, its unlikely they will be able to read the response unless they have breached the network between you and the server somehow.

    But, someone who piggy backs on your unsecured wireless network for example, or gets into your computer, will have a very easy time "logging in".

  4. #4
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, the IP you receive from that variable cannot be forged and is the remote address for the TCP connection.

    However...

    Note that, due to NAT routers or ISP load balancing (among other things), there can be many, many users with a single IP. In fact, it's possible that a single user may change IP addresses between page requests, and that a completely different user may use the same IP as another one.

    In short: never bypass an authentication form based on IP address alone - either use cookies or re-authenticate.

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tarh View Post
    Yes, the IP you receive from that variable cannot be forged and is the remote address for the TCP connection.
    In can be forged, creating TCP IP packets is quite an easy task.
    Last edited by logic_earth; Jun 15, 2009 at 17:49.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #6
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    IP packets*

    TCP packets don't contain address information.

    But anyway, getting routers between you and the server to accept your packet willy nilly is not so easy.
    Last edited by sk89q; Jun 15, 2009 at 18:09.

  7. #7
    SitePoint Zealot
    Join Date
    Nov 2008
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, thought that this may be a nay, I was weary myself. It's a client that requested it, and I tried turning them away.

    Thank you for your responses.

  8. #8
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think relying on IP addresses is such a security issue, but the problem with using them within the context of an authentication system is that some ISPs (example: AOL) change IP on every page load. Look at your traffic logs and see it happen.

  9. #9
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree. IP address can change to often to use it in page to page authentication. There is really no way around using a session system for this. You can however check the user agent string from one request to another. Even if it's blank/not supplied to start with, it should be so throughout a login session.
    Visit my blog
    PHP && Life
    for technology articles and musings.

  10. #10
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    In can be forged, creating TCP IP packets is quite an easy task.
    Completely false.

    It's trivial to generate packets, yes. However, please read up on the TCP three-way handshake. While generating false SYN packets is completely possible, it is NOT possible to respond with a correct ACK to the point of creating a sustained connection (this applies to TCP, not to UDP which is connectionless). It follows that forging a source IP in an HTTP transaction is also impossible.

  11. #11
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Tarh View Post
    Completely false...
    What I said is not "completely" false. For one I never said it would work or be useful to forge the IP address. I merely stated the IP address can be forged. So don't be putting words into my post.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  12. #12
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    I merely stated the IP address can be forged.
    It was written in such a way that it seemed to contradict my original statement, which is absolutely true in all circumstances: $_SERVER['REMOTE_ADDR'] cannot be forged.

  13. #13
    Floridiot joebert's Avatar
    Join Date
    Mar 2004
    Location
    Kenneth City, FL
    Posts
    823
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was curious about this some months ago and looked up a lot of stuff I never want to see again about low-level aspects of an HTTP request.

    My first thought was something like this, consider the following URL.

    Code:
    http://.../command.php?do=adduser&name=me&pass=pass
    If the script simply accepted that command if the IP was known, and didn't require the user to click a confirm button with any sort of unique form key, it would seem like you wouldn't need to wait for a response from the server and it wouldn't matter if the server sent the response back to the correct address.

    If that were the case, you could just send the request with forged information.

    However that doesn't seem to be the case if I understood right. The server apparently doesn't even know a request exists until the machine who sent the request responds to a "did you just call my name?" type of request.

    User says "hey" -> Server says "what" -> User says "do you have...?" -> Server says "here is the ... you asked for"

    Since the user needs to get a response from the server before it can even make a request, forging the return address wouldn't be possible.

    Or would it ?

    What if an attacker knew a setup existed that relied on IP address validation, and also had a way to know when the verified user would be making requests to the server ?

    What would happen if an attacker spammed the server with request packets that had a forged IP address, is there a chance that one of these packets could be timed just right that instead of the verified users request packets getting through after the connection packets, the attackers packets got through instead ?

    Kinda like if someone put a dollar in the soda machine, then another person ran by and stole their soda as soon as it came out of the machine.

  14. #14
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, HTTP isn't low enough to matter. It's TCP, rather.

    Before you can send data with TCP, you have to instantiate a connection with the remote system. So you say "Hi, I'd like to connect to port 80, and hey, my sequence number for this connection is this random number A." The server replies with "Hey, let's connect. Here's your random number A + 1, and here's my own random number B." Then you reply with "Okay, I got it. Here's my original random number A + 2, and here's your random number B + 1." Only then can data actually be sent. The intended client must reply with the server's B + 1 number, so you have to somehow intercept that packet in order to reliably forge packets. You can try guessing, but the numbers are randomized and you have 2^32 possibilities.

    With every packet thereafter, the sequence number is incremented.

    And on top of that, a lot of routers do egress filtering (outbound filtering), which makes IP spoofing hard for a lot of people.
    Last edited by sk89q; Jun 16, 2009 at 22:31.

  15. #15
    SitePoint Zealot
    Join Date
    Nov 2008
    Posts
    172
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by skunkbad View Post
    I don't think relying on IP addresses is such a security issue, but the problem with using them within the context of an authentication system is that some ISPs (example: AOL) change IP on every page load. Look at your traffic logs and see it happen.
    This isn't an issue, I would never think about offering that as an authentication method for general users. This is for 1-2 users who will be using 1-3 machines total.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •