1

Topic: Possible IP Spoofing 'feature'

It is possible that PunBB i exposed to the same exploit as phpbb was discovered to have. The problem lies in phpbb and punbb(?) blindly thrust in X-Forwarded-For only to be set when being proxied. If this value is set the forum will use this ip as user ip:

For instance if adding the following when making a post
X-Forwarded-For: 1.3.3.7
Would make you a 'leet' person wink

I haven't tested if punbb is exposed to this.. but it's worth looking in to.

More info at: http://www.packetstormsecurity.org/0404 … BB208a.txt

Re: Possible IP Spoofing 'feature'

The problem is that there is no good solution. Simply removing it and relying completetely on REMOTE_ADDR is a bad idea. It will remove the ability to ban individuals as opposed to large groups of people.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

3

Re: Possible IP Spoofing 'feature'

Prehaps there is another solution ? Prehaps creating two classes of ips. One proxyclass and one ordinaryip. Say a person without proxy surfs the forum then he'll get an ip in ordinaryip. But if the HTTP_X_FORWARDED_FOR is set then log both the proxyip and the ip that should be the right one.

By logging both ips it will be more clear what is happening. Is there any real problems with logging both ?

Re: Possible IP Spoofing 'feature'

If a banned user wants to read a forum, he/she will do it regardless of IP bans. Just surfing via a proxy is easier than spoofing HTTP_X_FORWARDED_FOR. There is no solution to this problem.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Possible IP Spoofing 'feature'

Well, installing a local proxy and thus getting the IP 127.0.0.1 is also a nice way of having fun.

CGI:IRC has a list of "trusted" proxies and only uses the X-Forwarded-For from those.
And it checks both, the proxy's IP and the proxied IP against the ban lists.

6

Re: Possible IP Spoofing 'feature'

There is no way to "ban" someone in todays world of the internet. With all the wireless access points and dynamic ips, not to mention the dial up ip cycle, it is very easy to bypass ip based bans.

Do, or do not.

Re: Possible IP Spoofing 'feature'

Well, it is possible. But requires some work.
And quite some "colateral" damage.
(Banning by AS, or by registrar, etc. I comaintain a service, that quite reliably accepts only connections from one country. Okay, it's a positive list. ;))

Re: Possible IP Spoofing 'feature'

Elrond: How would that help? There are still millions of open proxies to use.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Possible IP Spoofing 'feature'

Well, then I could just ask, why you have IP-based banning at all?

And I personally just find it irritating to see someone have a 127.0.0.1 next to his posting.

Which was my main problem, when I found this thread.

Re: Possible IP Spoofing 'feature'

Because most people don't have the skill to mask their real IP address. Believe it or not.

"Programming is like sex: one mistake and you have to support it for the rest of your life."