News Feed
Jobs Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gareth Heyes' Blog:
Faking the unexpected
December 04, 2007 @ 08:36:04

Gareth Heyes has an example of yet another way he's seen developers incorrectly handle incoming connections and the information inside. This time, he focuses on the remote IP coming from the client.

Developers place too much trust in everything, they assume that certain data cannot be faked and therefore these pieces of data can be used as a Trojan horse. Lets take the REMOTE IP of a user, it seems a trusted source because of the TCP/IP connection between the user and the server.

He points out the difference between HTTP_X_FORWARDED_FOR and REMOTE_ADDR and how, despite them being the same almost all of the time, shouldn't be trusted since they could be spoofed. He even includes an example script showing how it could be done (and how a bit of Javascript can even be inserted).

0 comments voice your opinion now!
remoteaddr httpxforwardedfor remote ip address exploit remoteaddr httpxforwardedfor remote ip address exploit


blog comments powered by Disqus

Similar Posts

NETTUTS.com: Mimicking Apple's Address Book for the Web

PHPMac.com: IP Banning

Jaanus\' Blog: How to retrieve remote files in your web apps and still be friends with the server

Community News: Serendipity 1.1.3 and 1.2-beta2 released due to SQL exploit

FrSIRT Advisory: P-News Arbitrary PHP File Upload and Remote Information Disclosure Vulnerabilities


Community Events











Don't see your event here?
Let us know!


opinion hhvm install package facebook language unittest composer framework hack introduction code application symfony2 performance release series security component podcast

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework