php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #38248 PHP ip2long() function circumvention
Submitted: 2006-07-29 09:04 UTC Modified: 2006-07-29 15:11 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: rgod at autistici dot org Assigned:
Status: Not a bug Package: *Network Functions
PHP Version: 5.1.4 OS: all
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rgod at autistici dot org
New email:
PHP Version: OS:

 

 [2006-07-29 09:04 UTC] rgod at autistici dot org 
Description:
------------
--- PHP ip2long() function circumvention --------------------------------------

tested on php 5.0.2
	   "  4.3.3
--------------------------------------------------------------------------------
after some test on miniBB application (http://www.minibb.net/) I obtained that
the php ip2long() function can be tricked to return a valid IPv4 Internet
network address instead of "-1" even if the ip address argument is not a valid
one, through the injection of some chars, ex:

<?php
 for ($i=0; $i<=255; $i++)
 {
  echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";
 }
?>

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)

it gives the following (valid) result:

16843009

in minibb case this could result in sql injection, forging an header like this:

X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]

or even like this:

X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE]

(however Minibb limit the string to 15 chars so you will have an unuseful twelve
chars sql injection...)
also remember that HTTP headers is not filtered by PHP magic_quotes_gpc, so this
could give an attacker the way to fully compromise an application

code taken from MiniBB 2.0
index.php, 248-264
/* Banned IPs/IDs stuff */
$thisIp=getIP();                      <--------------------- here $thisIp becomes our sql code
$cen=explode('.', $thisIp);

if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){
$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';
$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';
}
else {
$thisIpMask[0]='0.0.0.+';
$thisIpMask[1]='0.0.0.+';
}

if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is passed to the db_ipCheck() function
$title=$sitename." :: ".$l_accessDenied;
echo ParseTpl(makeUp('main_access_denied')); exit;
}

bb_functions.php, near lines 123-131
//--------------->
function getIP(){
$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code
$finalIP=substr($finalIP,0,15);
return $finalIP;
}

//--------------->

setup_mysql.php, near lines 99-105:

function db_ipCheck($thisIp,$thisIpMask,$user_id){
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;
}

--------------------------------------------------------------------------------
1.05 29/07/2006
rgod
http://retrogod.altervista.org/php_ip2long.html
--------------------------------------------------------------------------------

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-29 09:06 UTC] rgod at autistici dot org 
confirmed even on 5.1.4
 [2006-07-29 15:11 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

inet_addr() is not binary safe.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 17:01:28 2025 UTC