Validity of $_SERVER['REMOTE_ADDR']

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Validity of $_SERVER['REMOTE_ADDR']

Post by Jenk »

I did search, but came across a problem with searching as seen by my thread in suggestions..

I am seeking information on why we (as php developers) shouldn't trust $_SERVER['REMOTE_ADDR'], and using IP's in general.

I've got a few reasons, and have been asked to prove 'evidence' for one or two of them:

- some webservers do not pass this information to PHP, thus it is not available at all. (CLI installations do not have this variable for example)

- It can be spoofed. On a relative scale, a lot easier than spoofing packets. (this is what I am needing more info on)

- There are legitimate reasons for users not using the same IP everytime (dynamic IP's) and possible collisions with other users (proxies, traffic routing etc.)

Any info much appreciated :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

#2 is fulfilled via proxies, so to speak. Legitimate spoofing, but I consider it spoofing none-the-less. Actual spoofing simply involves adding code to your network layer or exploiting readily available tools. Granted, the tools are legitimate for security and networking professionals. It's easier to do this under non-Windows systems in my experience, but is still possible to do over Windows.

The major reason is #3, it is impossible (without help from the IP provider) to even possibly narrow down who the IP is. At best, filtering based on IP is only a bandaid and penializes legitimate users too much to be a "Good solution."
deleet
Forum Commoner
Posts: 28
Joined: Thu Mar 23, 2006 10:05 am

Post by deleet »

Discussing the last point of your post, there are inumerous reasons for users to have different IP addresses. A most common and simple example are free hostnames.

There are countless free hostnames on the internet so you will never be able to be certain that that hostname belongs to one user and one user alone. It can be shared easily with other people and / or can be a hostname of a LAN connection (where there are several computers)

Also, in case I have a dynamic IP address, I can have the IP 82.127.65.84 right now, but when I disconnect and my neighbour connects, there is a chance that he'll get the IP 82.127.65.84.

Those two reasons alone should be more than enough for you not to trust $_SERVER['REMOTE_ADDR'] for providing sensitive information, unless you control the environment of you application (such as a LAN where you know all of the IP's of every computer and that those cannot be changed). You can however use them for non-sensitive information such as logging, etc.

I do not know if it is possible to change the IP address provided to PHP in order to execute code or cause an exploit.

I don't know much about this but I hope this helps.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Thank you both very much :)
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

1) cli is not meant for webservers
http://de2.php.net/manual/en/features.commandline.php wrote:CLI which means Command Line Interface. As the name implies, this SAPI type main focus is on developing shell (or desktop as well) applications with PHP.
2) ...
3) e.g. see http://en.wikipedia.org/wiki/Wikipedia: ... OL_vandals
Post Reply