lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <TheMailAgent.12735ae87522fa@39bdde345bcd057ef2ef5>
Date: Sat, 30 Jul 2005 10:04:58 +0300 (IDT)
From: Alexander Klimov <alserkli@...ox.ru>
To: Bojan Zdrnja <Bojan.Zdrnja@....hr>
Cc: bugtraq@...urityfocus.com
Subject: RE: [Full-disclosure] Anonymous Web Attacks via DedicatedMobileServices


On Sun, 24 Jul 2005, Bojan Zdrnja wrote:
> Regarding Google - yes, if you log only connections.
> However, when you use translate.google.com service, Google will add a new
> header in the HTTP request:
>
> X-Forwarded-For: <IP address>
>
> All proxy servers should add this header, even in the case of multiple
> proxying, in which case all IP addresses should be listed under this header.
>
> For Apache, there is even a mod_extract_forwarded module which should change
> the connection so it looks like it's coming from the IP behind the proxy
> server.
>

If you do assume that x-forwarded-for is always genuine then you will
have problems when somebody with direct connection adds
x-forwarded-for to confuse you (this is very similar to email
headers).

BTW: I don't sure that it is that important for real attackers -- most
of them are likely to use owned hosts anyway.

-- 
Regards,
ASK


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ