--- Ready Response <wang@mod-x.co.uk> wrote: > > > > ##################################################################### > > Advisory Name : phpBB 2.0.8a and lower - IP spoofing > vulnerability > Release Date : Apr 18, 2004 > Application : phpBB > Version : phpBB 2.0.8a and previous versions > Platform : PHP > Vendor URL : http://www.phpbb.com/ > Author : Wang / SRR Project Group of Ready Response > (srr@readyresponse.org) > Good work guys ;) I have put together a patch using the quick-fix Wang & SRR Project Group suggested, which I hope will make your job easier when fixing this issue in your board. Here's the patch file: --- --- common.orig.php 2003-07-20 11:42:24.000000000 -0400 +++ common.php 2004-04-19 15:45:52.038688056 -0400 @@ -126,32 +126,19 @@ // // Obtain and encode users IP // -if( getenv('HTTP_X_FORWARDED_FOR') != '' ) -{ - $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); - - $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR')); - reset($entries); - while (list(, $entry) = each($entries)) - { - $entry = trim($entry); - if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) ) - { - $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/'); - $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]); - - if ($client_ip != $found_ip) - { - $client_ip = $found_ip; - break; - } - } - } -} -else -{ +// -=-=-=- +// I have removed the offending code which attempted to assume a user's IP +// address based on the contents of the X-Forwarded-For HTTP header, if one +// existed. I could've commented the code out, instead of simply removing it, +// but that would make this patch bigger than necessary. +// This quick workaround will do for now, until phpBB release a security +// update. +// +// -shaun2k2 +// http://www.nettwerked.co.uk +// -=-=-=- +// $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); -} $user_ip = encode_ip($client_ip); // @@ -184,4 +171,4 @@ message_die(GENERAL_MESSAGE, 'Board_disable', 'Information'); } -?> \ No newline at end of file +?> --- If my mail client obfuscates the patch, the patch is available here: <http://www.nettwerked.co.uk/code/phpbb-ipspoof.patch>. The patch applies cleanly to phpBB2 2.0.8, 2.0.8a and perhaps earlier versions. Hope this helps is some way. Thank you for your time. Shaun. ____________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
