[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: phpBB 2.0.8a and lower - IP spoofing vulnerability
From: Ready Response <wang () mod-x ! co ! uk>
Date: 2004-04-19 0:01:29
Message-ID: 20040419000129.28917.qmail () www ! securityfocus ! com
[Download RAW message or body]
#####################################################################
Advisory Name : phpBB 2.0.8a and lower - IP spoofing vulnerability
Release Date : Apr 18, 2004
Application : phpBB
Version : phpBB 2.0.8a and previous versions
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Wang / SRR Project Group of Ready Response (srr@readyresponse.org)
#####################################################################
Overview
A vulnerability has been reported to exist in the software that may allow a remote \
user to spoof/forge their IP address, therefore making the phpBB/Administrator \
believe that users/posts are coming from a false IP. The problem reportedly exists in \
the code to obtain the users IP address in the common.php script. This issue is \
caused by blind trust of the X-Forwarded-For HTTP header. A remote attacker may \
exploit this issue to hide their IP address, or appear under the IP address of \
another user. It can also be used to bypass any ban restrictions that an \
administrator has placed on an IP via the PHPBB system.
------------------------------------------------
Discussion
There is code in common.php that starts:
//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? \
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? \
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
This code is used to obtain the users/posters IP address. However, if the \
X-Forwarded-For HTTP header is present, it will take the IP address from the header \
and blindly trust it to be the users/posters IP address. The problem is of course \
that the X-Forwarded-For HTTP header is easily forgable via a number of methods.
To take a trivial example...if a user were to spoof their X-Forwarded-For header to \
contain the information:
X-Forwarded-For: 1.3.3.7
When they post on a phpBB board - it blindly trusts that "1.3.3.7" is the users real \
IP address, and will present this IP address to the phpBB administrator if they \
choose to check the posters IP via the phpBB. Not only does this make it a pain for \
the phpBB administrator to then have to track down the users real IP via httpd server \
logs (if this is possible, which is not always the case) - it also makes it possible \
for a user to forge/spoof their IP to that of another user in a possible attempt to \
masquerade as them.
In addition, this makes phpBB's IP ban feature close to useless because anyone can \
change their IP and evade the ban within seconds by changing their X-Forwarded-For \
header to an IP that is not banned (no need for a proxy).
In my opinion, since phpBB handles getting a users IP address in this way...it is a \
security glitch, as it means that IP's can't be trusted by a phpBB administrator, and \
bans can be evaded with ease.
------------------------------------------------
Solution
No official response/solution has been recieved from the phpBB group. A possible \
solution would be to not trust the X-Forwarded-For HTTP header when wishing to obtain \
a valid IP address by which to reference a user/poster.
In common.php find the following code around line 126:
//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? \
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? \
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
$entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
reset($entries);
while (list(, $entry) = each($entries))
{
$entry = trim($entry);
if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, \
$ip_list) ) {
$private_ip = array('/^0\./', '/^127\.0\.0\.1/', \
'/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', \
'/^224\..*/', '/^240\..*/');
$found_ip = preg_replace($private_ip, $client_ip, \
$ip_list[1]);
if ($client_ip != $found_ip)
{
$client_ip = $found_ip;
break;
}
}
}
}
else
{
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? \
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? \
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); }
$user_ip = encode_ip($client_ip);
Replace the above code with:
//
// Obtain and encode users IP
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? \
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? \
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); $user_ip = encode_ip($client_ip);
This will remove the code that tries to obtain the posters IP via X-Forwarded-For.
------------------------------------------------
Credit
Discovery of this issue is credited to Wang & the SRR project group of Ready Response \
<srr@readyresponse.org>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic