lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040419200518.47479.qmail@web25107.mail.ukl.yahoo.com>
Date: Mon, 19 Apr 2004 21:05:18 +0100 (BST)
From: Shaun Colley <shaunige@...oo.co.uk>
To: bugtraq@...urityfocus.com
Cc: wang@...-x.co.uk
Subject: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability


 --- Ready Response <wang@...-x.co.uk> wrote: > 
> 
> 
>
#####################################################################
> 
> Advisory Name : phpBB 2.0.8a and lower - IP spoofing
> vulnerability
> Release Date : Apr 18, 2004 
> Application : phpBB
> Version : phpBB 2.0.8a and previous versions
> Platform : PHP
> Vendor URL : http://www.phpbb.com/
> Author : Wang / SRR Project Group of Ready Response
> (srr@...dyresponse.org)
>      

Good work guys ;)

I have put together a patch using the quick-fix Wang &
SRR Project Group suggested, which I hope will make
your job easier when fixing this issue in your board. 


Here's the patch file:


--- 
--- common.orig.php	2003-07-20 11:42:24.000000000
-0400
+++ common.php	2004-04-19 15:45:52.038688056 -0400
@@ -126,32 +126,19 @@
 //
 // Obtain and encode users IP
 //
-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
-{
-	$client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-
-	$entries = explode(',',
getenv('HTTP_X_FORWARDED_FOR'));
-	reset($entries);
-	while (list(, $entry) = each($entries)) 
-	{
-		$entry = trim($entry);
-		if (
preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/",
$entry, $ip_list) )
-		{
-			$private_ip = array('/^0\./', '/^127\.0\.0\.1/',
'/^192\.168\..*/',
'/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
'/^10\..*/', '/^224\..*/', '/^240\..*/');
-			$found_ip = preg_replace($private_ip, $client_ip,
$ip_list[1]);
-
-			if ($client_ip != $found_ip)
-			{
-				$client_ip = $found_ip;
-				break;
-			}
-		}
-	}
-}
-else
-{
+// -=-=-=-
+// I have removed the offending code which attempted
to assume a user's IP
+// address based on the contents of the
X-Forwarded-For HTTP header, if one
+// existed.  I could've commented the code out,
instead of simply removing it,
+// but that would make this patch bigger than
necessary.
+// This quick workaround will do for now, until phpBB
release a security
+// update.
+//
+// -shaun2k2
+// http://www.nettwerked.co.uk
+// -=-=-=-
+//
 	$client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-}
 $user_ip = encode_ip($client_ip);
 
 //
@@ -184,4 +171,4 @@
 	message_die(GENERAL_MESSAGE, 'Board_disable',
'Information');
 }
 
-?>
\ No newline at end of file
+?>
---


If my mail client obfuscates the patch, the patch is
available here:
<http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch>.

The patch applies cleanly to phpBB2 2.0.8, 2.0.8a and
perhaps earlier versions.

Hope this helps is some way.



Thank you for your time.
Shaun.


	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ