On Thu, 7 Dec 2006, Joshua Slive wrote:
On 12/7/06, ara.t.howard@xxxxxxxx <ara.t.howard@xxxxxxxx> wrote:>> still, i think even REMOTE_ADDR could be spoofed easily couldn't it? >> No, it is determined directly from the TCP/IP connection information which > cannot be (easily) spoofed. The Client-IP is simply a request header which> the client (or proxy) completely controls.ok. i'm understanding correclty then - spoofing remote_addr would most likely involve packet wrapping. i'm not sure that would be consider 'hard' - but itis indeed harder than setting headers.I'm not sure what you mean by "packet wrapping". But in general, it is hard to lie about the source IP address if you want to get a response from the server and are not on the same local network. (It is much easier if you are just doing a denial of service attack and hence don't care if you ever see a response.)
understood. since the last post i've verified that sending the client_ip via curl --header "CLIENT_IP: an_internal_ip" uri does not, in fact subvert the security. i'm not sure the mechanism, but i can set new http_* headers but not over-write any existing ones via a client - or so it seems. regards. -a -- if you want others to be happy, practice compassion. if you want to be happy, practice compassion. -- the dalai lama --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx