[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40D0FC0E.AD1D0B1B@dessent.net>
Date: Wed, 16 Jun 2004 19:03:58 -0700
From: Brian Dessent <brian@...sent.net>
To: GulfTech Security <security@...ftech.org>
Cc: BugTraq <bugtraq@...urityfocus.com>
Subject: Re: Problem With IP Logging In Invision Power Board?
GulfTech Security wrote:
>
> IPB like many other forum systems logs visitors IP's However I have
> noticed in the past that people who are surfing through some proxies
> have their internal (private) IP logged instead of their "real" IP
> Address. Here are a few screenshots I took of my LAN IP being logged
> instead of my internet IP.
>
> http://images.gulftech.org/ipb_1.png
> http://images.gulftech.org/ipb_2.png
>
> As far as I can tell it is using the X_FORWARDED_FOR IP, which might be
> a good thing as it could get the IP of a person using a non anonymous
> proxy or the like to cause some mischief, but it should definitely check
> for private IP's and if it finds one present go with the REMOTE_ADDR IP
> instead, or something different because IP's of private networks are
> pretty much useless to admins etc.
>
> I have not taken time to look at the code responsible for this behavior,
> but I did contact Invision a while back and was basically told to
> purchase a license if I wanted technical support. hmmmmm, great response
> :P BTW, the particular IPB version I have experienced this behavior on
> is the latest 1.3 release.
Yes, IPB trusts that header more than it should. It's not so much a bug
but rather an extremely poor design decision. One one hand it means
that *some* cases of someone using a proxy will be revealed, but on the
other hand it means that anyone with the appropriate knowledge can stick
anything in that field, rendering the logs completely worthless and
untrustable. For example:
wget --header="X-Forwarded-For: 0.0.0.0"
http://example.com/board/index.php
The end user can insert any IP address he wishes into the IPB logs for
all of his actions, and IPB dutifully records it. People seem to forget
that all HTTP headers are user-supplied data.
Brian
Powered by blists - more mailing lists