PHPDeveloper.org: Gareth Heyes' Blog: Faking the unexpected

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

Job Posting: Veedow Seeks Senior PHP Developer/Architect (London, UK)

Job Posting: Apex Systems (Recruiter) Seeks PHP Web Developers (Tampa, FL)

Job Posting: WordStream Seeks Web Application Developer (Needham, MA)

Job Posting: JS Creative Seeks Web Developer (Atlanta, GA)

Job Posting: Kodak Graphic Communications Group Seeks PHP Application Developer (Stamford, CT)

Job Posting: RJ Byrd (Recruiter) Seeks PHP Application Developer (Dallas, TX)

News Archive

IBM developerWorks: 30 game scripts you can write in PHP, Part 1: Creating 10 fundamental scripts

WebReference.com: Administering RBAC in PHP 5 CMS Framework

Douglas Clifton's Blog: PHP Specificity (a Five-part Series)

PHPro.org: Class Hierachies And Overriding

Hiveminds: PHP is a skill not a profession

Site News: Blast from the Past - One Year Ago in PHP

Zend Developer Zone: Dynamically Generating PDF Files with PHP and Haru

Jani Hartikainen's Blog: Base classes in OOP programming languages

Community News: PHP Quebec 2009 Schedule Announced

Community News: Latest Releases from PHPClasses.org

Gareth Heyes' Blog:
Faking the unexpected

by Chris Cornutt December 04, 2007 @ 08:36:04

Gareth Heyes has an example of yet another way he's seen developers incorrectly handle incoming connections and the information inside. This time, he focuses on the remote IP coming from the client.

Developers place too much trust in everything, they assume that certain data cannot be faked and therefore these pieces of data can be used as a Trojan horse. Lets take the REMOTE IP of a user, it seems a trusted source because of the TCP/IP connection between the user and the server.

He points out the difference between HTTP_X_FORWARDED_FOR and REMOTE_ADDR and how, despite them being the same almost all of the time, shouldn't be trusted since they could be spoofed. He even includes an example script showing how it could be done (and how a bit of Javascript can even be inserted).

0 comments voice your opinion now!
remoteaddr httpxforwardedfor remote ip address exploit remoteaddr httpxforwardedfor remote ip address exploit

Similar Posts

Net-Security.org: SUSE Security Announcement - php4,php5 problems

LWN.net: Remote file inclusion vulnerabilities

Community News: Ubuntu Updates PHP Packages

Human Edited Directory: Now remote debugging is possible for PHP

PHPBuilder.com: Remote objects and Zend_Amf

Community Events

Don't see your event here?
Let us know!

All content copyright, 2008 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework