##################################################################### Advisory Name : phpBB 2.0.8a and lower - IP spoofing vulnerability Release Date : Apr 18, 2004 Application : phpBB Version : phpBB 2.0.8a and previous versions Platform : PHP Vendor URL : http://www.phpbb.com/ Author : Wang / SRR Project Group of Ready Response (srr@readyresponse.org) ##################################################################### Overview A vulnerability has been reported to exist in the software that may allow a remote user to spoof/forge their IP address, therefore making the phpBB/Administrator believe that users/posts are coming from a false IP. The problem reportedly exists in the code to obtain the users IP address in the common.php script. This issue is caused by blind trust of the X-Forwarded-For HTTP header. A remote attacker may exploit this issue to hide their IP address, or appear under the IP address of another user. It can also be used to bypass any ban restrictions that an administrator has placed on an IP via the PHPBB system. ------------------------------------------------ Discussion There is code in common.php that starts: // // Obtain and encode users IP // if( getenv('HTTP_X_FORWARDED_FOR') != '' ) { $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); This code is used to obtain the users/posters IP address. However, if the X-Forwarded-For HTTP header is present, it will take the IP address from the header and blindly trust it to be the users/posters IP address. The problem is of course that the X-Forwarded-For HTTP header is easily forgable via a number of methods. To take a trivial example...if a user were to spoof their X-Forwarded-For header to contain the information: X-Forwarded-For: 1.3.3.7 When they post on a phpBB board - it blindly trusts that "1.3.3.7" is the users real IP address, and will present this IP address to the phpBB administrator if they choose to check the posters IP via the phpBB. Not only does this make it a pain for the phpBB administrator to then have to track down the users real IP via httpd server logs (if this is possible, which is not always the case) - it also makes it possible for a user to forge/spoof their IP to that of another user in a possible attempt to masquerade as them. In addition, this makes phpBB's IP ban feature close to useless because anyone can change their IP and evade the ban within seconds by changing their X-Forwarded-For header to an IP that is not banned (no need for a proxy). In my opinion, since phpBB handles getting a users IP address in this way...it is a security glitch, as it means that IP's can't be trusted by a phpBB administrator, and bans can be evaded with ease. ------------------------------------------------ Solution No official response/solution has been recieved from the phpBB group. A possible solution would be to not trust the X-Forwarded-For HTTP header when wishing to obtain a valid IP address by which to reference a user/poster. In common.php find the following code around line 126: // // Obtain and encode users IP // if( getenv('HTTP_X_FORWARDED_FOR') != '' ) { $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR')); reset($entries); while (list(, $entry) = each($entries)) { $entry = trim($entry); if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) ) { $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/'); $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]); if ($client_ip != $found_ip) { $client_ip = $found_ip; break; } } } } else { $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); } $user_ip = encode_ip($client_ip); Replace the above code with: // // Obtain and encode users IP // $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); $user_ip = encode_ip($client_ip); This will remove the code that tries to obtain the posters IP via X-Forwarded-For. ------------------------------------------------ Credit Discovery of this issue is credited to Wang & the SRR project group of Ready Response