Comments on: Faking the unexpected

By: Gareth Heyes

Gareth Heyes — Fri, 11 Apr 2008 10:18:16 +0000

Yeah Stefan rocks
He has a book? Is it in English? I’d be interested if you could provide a link.

By: Handy

Handy — Thu, 10 Apr 2008 23:31:10 +0000

Nice example. Stefan Esser describes this problem very good in his book about PHP security. By the way, he is the guy, who worked in the PHP Security Response Team.

By: zhaiduo

zhaiduo — Wed, 05 Dec 2007 05:44:49 +0000

yep, you are right!

By: Gareth Heyes

Gareth Heyes — Mon, 03 Dec 2007 09:06:38 +0000

@Jack

You need to filter all user supplied data including User-agent etc and I have mentioned many times before how to do this. The article was to highlight the amount of times I’ve seen PHP code with just $userip = $_SERVER['HTTP_X_FORWARDED_FOR']; and blindly trusting it.

By: Jack

Jack — Mon, 03 Dec 2007 08:47:17 +0000

Hello,

This article is very good, but gives no viable alternative. Why ?

Jack

By: Gareth Heyes

Gareth Heyes — Sun, 02 Dec 2007 19:58:18 +0000

@Awesome AnDrEw

You must be feeling smug right now

I wonder how many feel sick

By: Skip Chris

Skip Chris — Sun, 02 Dec 2007 19:45:08 +0000

In my limited ‘developer’ way, rather than as a webappsec professional, this is one of those things I see all the time, the key culprit being _SERVER['PHP_SELF']… :S

Another common one (though a bit more obvious and less related to this post) is something along the lines of:
http://www.example.org/controller/action
—>

By: Andrew MacFie

Andrew MacFie — Sun, 02 Dec 2007 18:20:27 +0000

I think accepting ‘HTTP_X_FORWARDED_FOR’ or ‘REMOTE_ADDR’ values as ultimately correct identifiers for end users is clearly a different problem than failing to perform output validation on user-supplied data. ‘HTTP_X_FORWARDED_FOR’ and other HTTP headers are of course trivial to spoof, and there is irony in the perceived extra level of security that checking for proxied users appears to provide. If this information is really required, the developer might want to have a look at some Metasploit Project research (hxxp://metasploit.com/research/misc/decloak/).

Outputting unfiltered user input is always bad, as shown, but trusting HTTP headers as always legitimate values is far too tempting and a more commonly overlooked source of vulnerability than, say, query strings.

By: Awesome AnDrEw

Awesome AnDrEw — Sun, 02 Dec 2007 16:08:50 +0000

I choose the latter option, and sanitize all user-input and headers.

By: kourge

kourge — Sun, 02 Dec 2007 15:58:53 +0000

Clever! This can almost certainly attack sites that display the user’s user agent such…