lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40D0FC0E.AD1D0B1B@dessent.net>
Date: Wed, 16 Jun 2004 19:03:58 -0700
From: Brian Dessent <brian@...sent.net>
To: GulfTech Security <security@...ftech.org>
Cc: BugTraq <bugtraq@...urityfocus.com>
Subject: Re: Problem With IP Logging In Invision Power Board?


GulfTech Security wrote:
> 
> IPB like many other forum systems logs visitors IP's However I have
> noticed in the past that people who are surfing through some proxies
> have their internal (private) IP logged instead of their "real" IP
> Address. Here are a few screenshots I took of my LAN IP being logged
> instead of my internet IP.
> 
> http://images.gulftech.org/ipb_1.png
> http://images.gulftech.org/ipb_2.png
> 
> As far as I can tell it is using the X_FORWARDED_FOR IP, which might be
> a good thing as it could get the IP of a person using a non anonymous
> proxy or the like to cause some mischief, but it should definitely check
> for private IP's and if it finds one present go with the REMOTE_ADDR IP
> instead, or something different because IP's of private networks are
> pretty much useless to admins etc.
> 
> I have not taken time to look at the code responsible for this behavior,
> but I did contact Invision a while back and was basically told to
> purchase a license if I wanted technical support. hmmmmm, great response
> :P BTW, the particular IPB version I have experienced this behavior on
> is the latest 1.3 release.

Yes, IPB trusts that header more than it should.  It's not so much a bug
but rather an extremely poor design decision.  One one hand it means
that *some* cases of someone using a proxy will be revealed, but on the
other hand it means that anyone with the appropriate knowledge can stick
anything in that field, rendering the logs completely worthless and
untrustable.  For example:

wget --header="X-Forwarded-For: 0.0.0.0"
http://example.com/board/index.php

The end user can insert any IP address he wishes into the IPB logs for
all of his actions, and IPB dutifully records it.  People seem to forget
that all HTTP headers are user-supplied data.

Brian


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ