phpBB 2.0.8a and lower - IP spoofing vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB 2.0.8a and lower - IP spoofing vulnerability
From: Ready Response <wang@xxxxxxxxxxx>
Date: 19 Apr 2004 00:01:29 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm



#####################################################################

Advisory Name : phpBB 2.0.8a and lower - IP spoofing vulnerability
Release Date : Apr 18, 2004 
Application : phpBB
Version : phpBB 2.0.8a and previous versions
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Wang / SRR Project Group of Ready Response (srr@xxxxxxxxxxxxxxxxx)
     
#####################################################################

Overview

A vulnerability has been reported to exist in the software that may allow a 
remote user to spoof/forge their IP address, therefore making the 
phpBB/Administrator believe that users/posts are coming from a false IP. The 
problem reportedly exists in the code to obtain the users IP address in the 
common.php script. This issue is caused by blind trust of the X-Forwarded-For 
HTTP header. A remote attacker may exploit this issue to hide their IP address, 
or appear under the IP address of another user. It can also be used to bypass 
any ban restrictions that an administrator has placed on an IP via the PHPBB 
system.

------------------------------------------------

Discussion

There is code in common.php that starts:

//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
 $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? 
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) 
? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

This code is used to obtain the users/posters IP address. However, if the 
X-Forwarded-For HTTP header is present, it will take the IP address from the 
header and blindly trust it to be the users/posters IP address. The problem is 
of course that the X-Forwarded-For HTTP header is easily forgable via a number 
of methods.
 
To take a trivial example...if a user were to spoof their X-Forwarded-For 
header to contain the information:

X-Forwarded-For: 1.3.3.7
 
When they post on a phpBB board - it blindly trusts that "1.3.3.7" is the users 
real IP address, and will present this IP address to the phpBB administrator if 
they choose to check the posters IP via the phpBB. Not only does this make it a 
pain for the phpBB administrator to then have to track down the users real IP 
via httpd server logs (if this is possible, which is not always the case) - it 
also makes it possible for a user to forge/spoof their IP to that of another 
user in a possible attempt to masquerade as them. 

In addition, this makes phpBB's IP ban feature close to useless because anyone 
can change their IP and evade the ban within seconds by changing their 
X-Forwarded-For header to an IP that is not banned (no need for a proxy).
 
In my opinion, since phpBB handles getting a users IP address in this way...it 
is a security glitch, as it means that IP's can't be trusted by a phpBB 
administrator, and bans can be evaded with ease.


------------------------------------------------

Solution

No official response/solution has been recieved from the phpBB group. A 
possible solution would be to not trust the X-Forwarded-For HTTP header when 
wishing to obtain a valid IP address by which to reference a user/poster.


In common.php find the following code around line 126:

//
// Obtain and encode users IP
//
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
        $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? 
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) 
? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

        $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
        reset($entries);
        while (list(, $entry) = each($entries))
        {
                $entry = trim($entry);
                if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, 
$ip_list) )
                {
                        $private_ip = array('/^0\./', '/^127\.0\.0\.1/', 
'/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', 
'/^224\..*/', '/^240\..*/');
                        $found_ip = preg_replace($private_ip, $client_ip, 
$ip_list[1]);

                        if ($client_ip != $found_ip)
                        {
                                $client_ip = $found_ip;
                                break;
                        }
                }
        }
}
else
{
        $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? 
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) 
? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);


Replace the above code with:


//
// Obtain and encode users IP
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? 
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) 
? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
$user_ip = encode_ip($client_ip);


This will remove the code that tries to obtain the posters IP via 
X-Forwarded-For.

------------------------------------------------

Credit

Discovery of this issue is credited to Wang & the SRR project group of Ready 
Response <srr@xxxxxxxxxxxxxxxxx>

Follow-Ups:
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
  - From: 3APA3A
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
  - From: Shaun Colley

Prev by Date: [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]
Next by Date: MS Patches last Mon - Recap
Previous by thread: [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]
Next by thread: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
Index(es):
- Date
- Thread