lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040419000129.28917.qmail@www.securityfocus.com>
Date: 19 Apr 2004 00:01:29 -0000
From: Ready Response <wang@...-x.co.uk>
To: bugtraq@...urityfocus.com
Subject: phpBB 2.0.8a and lower - IP spoofing vulnerability





#####################################################################

Advisory Name : phpBB 2.0.8a and lower - IP spoofing vulnerability
Release Date : Apr 18, 2004 
Application : phpBB
Version : phpBB 2.0.8a and previous versions
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Wang / SRR Project Group of Ready Response (srr@...dyresponse.org)
     
#####################################################################

Overview

A vulnerability has been reported to exist in the software that may allow a remote user to spoof/forge their IP address, therefore making the phpBB/Administrator believe that users/posts are coming from a false IP. The problem reportedly exists in the code to obtain the users IP address in the common.php script. This issue is caused by blind trust of the X-Forwarded-For HTTP header. A remote attacker may exploit this issue to hide their IP address, or appear under the IP address of another user. It can also be used to bypass any ban restrictions that an administrator has placed on an IP via the PHPBB system.

------------------------------------------------

Discussion

There is code in common.php that starts:

//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
 $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

This code is used to obtain the users/posters IP address. However, if the X-Forwarded-For HTTP header is present, it will take the IP address from the header and blindly trust it to be the users/posters IP address. The problem is of course that the X-Forwarded-For HTTP header is easily forgable via a number of methods.
 
To take a trivial example...if a user were to spoof their X-Forwarded-For header to contain the information:

X-Forwarded-For: 1.3.3.7
 
When they post on a phpBB board - it blindly trusts that "1.3.3.7" is the users real IP address, and will present this IP address to the phpBB administrator if they choose to check the posters IP via the phpBB. Not only does this make it a pain for the phpBB administrator to then have to track down the users real IP via httpd server logs (if this is possible, which is not always the case) - it also makes it possible for a user to forge/spoof their IP to that of another user in a possible attempt to masquerade as them. 

In addition, this makes phpBB's IP ban feature close to useless because anyone can change their IP and evade the ban within seconds by changing their X-Forwarded-For header to an IP that is not banned (no need for a proxy).
 
In my opinion, since phpBB handles getting a users IP address in this way...it is a security glitch, as it means that IP's can't be trusted by a phpBB administrator, and bans can be evaded with ease.


------------------------------------------------

Solution

No official response/solution has been recieved from the phpBB group. A possible solution would be to not trust the X-Forwarded-For HTTP header when wishing to obtain a valid IP address by which to reference a user/poster.


In common.php find the following code around line 126:

//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
        $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

        $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
        reset($entries);
        while (list(, $entry) = each($entries))
        {
                $entry = trim($entry);
                if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
                {
                        $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
                        $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);

                        if ($client_ip != $found_ip)
                        {
                                $client_ip = $found_ip;
                                break;
                        }
                }
        }
}
else
{
        $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);


Replace the above code with:


//
// Obtain and encode users IP
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
$user_ip = encode_ip($client_ip);


This will remove the code that tries to obtain the posters IP via X-Forwarded-For.

------------------------------------------------

Credit

Discovery of this issue is credited to Wang & the SRR project group of Ready Response <srr@...dyresponse.org>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ