Hi all,
I'm working on a system that relies in $_SERVER['REMOTE_ADDR'] to get the user address and check it against a white list of addresses. Is this approach safe? Or is there a way of forcing values in superglobal variables?
Thank you, Diogo
+1
A:
The approach is safe.
The entries in this array are created by the web server.
henchman
2010-03-09 01:34:22
+2
A:
The value itself should be safe from outside injection - it is served by the web server - , but the client IP can be spoofed.
Related good reading: What is the most accurate way to retrieve a user’s correct IP address in PHP?
Pekka
2010-03-09 01:35:00
I don't agree that the IP can be spoofed. Sure, the user can be behind the proxy, but the IP can't actually be spoofed for a TCP protocol. See http://stackoverflow.com/questions/1180878/spoofing-the-origination-ip-address-of-an-http-request/1180938#1180938
Matthew Flaschen
2010-03-09 01:45:55
@Matthew I'm no expert in that field, but my understanding always was that it is possible to get a request with a spoofed IP *to* the web server, which can be enough when starting, say, a delete operation for which the attacker needs no feedback. Am I mistaken?
Pekka
2010-03-09 01:47:37
I'm not an expert either, but AFAICT even a GET request requires a three-way handshake. So the IP can't be trivially forged
Matthew Flaschen
2010-03-09 02:11:08
There is no three-way-handshake for a get request. see a get-example @ http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Example_session request => response
henchman
2010-03-09 07:21:38
Thanks for all the comments ;) reading the links now
DiogoNeves
2010-03-10 01:45:24
@henchman: before HTTP information can be processed, there is a TCP-level handshake: http://stackoverflow.com/questions/1180878/spoofing-the-origination-ip-address-of-an-http-request/1180938#1180938
Thilo
2010-03-10 02:18:33
ahhh, so mea culpa :-) i normally don't go as deep as osi layer 4 :-)
henchman
2010-03-10 03:05:53
+1
A:
The value in $_SERVER['REMOTE_ADDR'] is set by Apache (or whatever web server you're using), not by the user. So unless the user has access to the system itself (and not just web access), then you shouldn't have to worry about the user modifying it. You might, however, need to worry about addresses of proxies if you need to whitelist a user behind one.
Amber
2010-03-09 01:35:03
Thanks!My problem would be if there was a way of tricking the web server (Apache in this case) to think that the address is something else :)
DiogoNeves
2010-03-10 01:47:30
+1
A:
There is nothing the user can do to "force a value into this superglobal".
I am not sure if other PHP code could do that, but that should be under your control.
Also, if there are proxies between you and the user, you should check if the REMOTE_ADDR is set correctly. I would think that if you use Apache (and well-behaved proxies), that case would be handled properly.
Thilo
2010-03-09 01:36:17