How to fake $_SERVER[‘REMOTE_ADDR’] variable?

by

I assume that you mean faking it remotely. The short answer is yes you can. The long answer about how easy it is depends on how you want to fake it.

If you don’t care about receiving a response, it’s as trivial as opening a raw socket to the destination and forging the source IP address. I’m not sure if it’s really easy to do in PHP since all of PHP’s socket implementations are at or above the TCP level. But I’m sure it’s possible. Now, since you’re not in control of the network, the response will not go back to you. So that means that you cannot (reliably anyway) create a TCP connection via a trivial forged TCP header (since the syn-ack does prevent this by requiring two-way communication).

However, if you can compromise the gateway the IP is off of, you can do whatever you’d like. So if you compromise the wifi router a computer is connected to, you can pretend to be that computer, and the server won’t tell the difference. If you compromise the ISP’s outbound router, you can (in theory at least) pretend to be the computer and the server won’t tell the difference.

For some more info, see these following links:

However, you will only be able to forge the 127.0.0.1 loopback address under TCP if you actually compromise the local machine/server. And at that point does it really matter?

Important

If you’re using a framework to access this information, be absolutely sure that it does not check the X-HTTP-FORWARDED-FOR header! Otherwise it’s trivial to fake the IP address. For example, if you’re using Zend Framework’s Zend_Controller_Request_Http::getClientIp method, be absolutely sure that you pass false as the parameter! Otherwise someone just needs to send an HTTP header: X-Http-Forwarded-For: 127.0.0.1 and they now appear to be local! This is one case where using a framework without understanding how it works in the backend can really be bad…

Edit: Relevant

I wrote a blog post recently about how I stumbled across a vulnerability in StackOverflow’s application. It’s very relevant here, since it exploits a very similar mechanism to what this question is looking for (although the circumstances around it are somewhat narrow):

How I Hacked StackOverflow

More Related Contents:

  1. Are PDO prepared statements sufficient to prevent SQL injection?
  2. Why would one omit the close tag?
  3. Reference: What is a perfect code sample using the MySQL extension? [closed]
  4. How do you Encrypt and Decrypt a PHP String?
  5. The ultimate clean/secure function
  6. Exploitable PHP functions
  7. Two-way encryption: I need to store passwords that can be retrieved
  8. Preventing Directory Traversal in PHP but allowing paths
  9. What is the best way to stop people hacking the PHP-based highscore table of a Flash game
  10. Secure random number generation in PHP
  11. SQL injections in ADOdb and general website security
  12. PHP image upload security check list
  13. Generating cryptographically secure tokens
  14. Which $_SERVER variables are safe?
  15. How to best store user information and user login and password
  16. What do I need to store in the php session when user logged in?
  17. PHP setcookie “SameSite=Strict”?
  18. Magic quotes in PHP
  19. Is it ever ok to store password in plain text in a php variable or php constant?
  20. How do you set up use HttpOnly cookies in PHP
  21. Fastest hash for non-cryptographic uses?
  22. Best way to avoid code injection in PHP
  23. Using PHP/Apache to restrict access to static files (html, css, img, etc)
  24. Is it secure to store a password in a session? [duplicate]
  25. Secure and Flexible Cross-Domain Sessions
  26. What security problems could come from exposing phpinfo() to end users?
  27. Can a client view server-side PHP source code?
  28. Check if http request comes from my android app
  29. Sanitize file path in PHP
  30. Proper session hijacking prevention in PHP

Leave a Comment