| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Jul 2005 10:04:58 +0300 (IDT) From: Alexander Klimov <alserkli@...ox.ru> To: Bojan Zdrnja <Bojan.Zdrnja@....hr> Cc: bugtraq@...urityfocus.com Subject: RE: [Full-disclosure] Anonymous Web Attacks via DedicatedMobileServices On Sun, 24 Jul 2005, Bojan Zdrnja wrote: > Regarding Google - yes, if you log only connections. > However, when you use translate.google.com service, Google will add a new > header in the HTTP request: > > X-Forwarded-For: <IP address> > > All proxy servers should add this header, even in the case of multiple > proxying, in which case all IP addresses should be listed under this header. > > For Apache, there is even a mod_extract_forwarded module which should change > the connection so it looks like it's coming from the IP behind the proxy > server. > If you do assume that x-forwarded-for is always genuine then you will have problems when somebody with direct connection adds x-forwarded-for to confuse you (this is very similar to email headers). BTW: I don't sure that it is that important for real attackers -- most of them are likely to use owned hosts anyway. -- Regards, ASK
Powered by blists - more mailing lists