<<< Date Index >>>     <<< Thread Index >>>

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability



 --- Ready Response <wang@xxxxxxxxxxx> wrote: > 
> 
> 
>
#####################################################################
> 
> Advisory Name : phpBB 2.0.8a and lower - IP spoofing
> vulnerability
> Release Date : Apr 18, 2004 
> Application : phpBB
> Version : phpBB 2.0.8a and previous versions
> Platform : PHP
> Vendor URL : http://www.phpbb.com/
> Author : Wang / SRR Project Group of Ready Response
> (srr@xxxxxxxxxxxxxxxxx)
>      

Good work guys ;)

I have put together a patch using the quick-fix Wang &
SRR Project Group suggested, which I hope will make
your job easier when fixing this issue in your board. 


Here's the patch file:


--- 
--- common.orig.php     2003-07-20 11:42:24.000000000
-0400
+++ common.php  2004-04-19 15:45:52.038688056 -0400
@@ -126,32 +126,19 @@
 //
 // Obtain and encode users IP
 //
-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
-{
-       $client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-
-       $entries = explode(',',
getenv('HTTP_X_FORWARDED_FOR'));
-       reset($entries);
-       while (list(, $entry) = each($entries)) 
-       {
-               $entry = trim($entry);
-               if (
preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/",
$entry, $ip_list) )
-               {
-                       $private_ip = array('/^0\./', '/^127\.0\.0\.1/',
'/^192\.168\..*/',
'/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/',
'/^10\..*/', '/^224\..*/', '/^240\..*/');
-                       $found_ip = preg_replace($private_ip, $client_ip,
$ip_list[1]);
-
-                       if ($client_ip != $found_ip)
-                       {
-                               $client_ip = $found_ip;
-                               break;
-                       }
-               }
-       }
-}
-else
-{
+// -=-=-=-
+// I have removed the offending code which attempted
to assume a user's IP
+// address based on the contents of the
X-Forwarded-For HTTP header, if one
+// existed.  I could've commented the code out,
instead of simply removing it,
+// but that would make this patch bigger than
necessary.
+// This quick workaround will do for now, until phpBB
release a security
+// update.
+//
+// -shaun2k2
+// http://www.nettwerked.co.uk
+// -=-=-=-
+//
        $client_ip = (
!empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ?
$HTTP_SERVER_VARS['REMOTE_ADDR'] : ( (
!empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ?
$HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
-}
 $user_ip = encode_ip($client_ip);
 
 //
@@ -184,4 +171,4 @@
        message_die(GENERAL_MESSAGE, 'Board_disable',
'Information');
 }
 
-?>
\ No newline at end of file
+?>
---


If my mail client obfuscates the patch, the patch is
available here:
<http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch>.

The patch applies cleanly to phpBB2 2.0.8, 2.0.8a and
perhaps earlier versions.

Hope this helps is some way.



Thank you for your time.
Shaun.


        
        
                
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html