php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66676 $_SERVER['REMOTE_ADDR'] insecure
Submitted: 2014-02-09 06:12 UTC Modified: 2014-05-12 13:00 UTC
From: hj at BridgeportContractor dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 5.4.25 OS: windows 7, x64 and *nix
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hj at BridgeportContractor dot com
New email:
PHP Version: OS:

 

 [2014-02-09 06:12 UTC] hj at BridgeportContractor dot com
Description:
------------
REMOTE_ADDR is not to be trusted.  

Can you get the server's IP from the tcp exchange rather than from the http exchange?

I recently logged '183.60..244.37' from $_SERVER['REMOTE_ADDR'] from an attack http request on my hosing server.  This is clearly not a valid IP address.  A little research and I have found that others too say to not trust REMOTE_ADDR from $_SERVER in php.  

I think PHP needs a trustworthy replacement, as this is the only way to log http accesses.

See also: http://serverfault.com/questions/574239/double-dots-in-otherwise-valid-ip4-addreses-e-g-183-60-244-37/574245?noredirect=1#comment669478_574245

Thanks for all of your work guys.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-09 06:34 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2014-02-09 06:34 UTC] requinix@php.net
1. REMOTE_ADDR comes through CGI. PHP does not determine its value.
2. It does, in fact, come from "the TCP exchange" and not "the HTTP exchange".
3. I don't know where you're looking but *I* am seeing people confirm that it is safe. It can be forged to varying degrees of usability, and that may be the untrustworthiness you've heard about, but the value is inherently a valid IPv4/6 address.

So I'm going to mark this as needing feedback and you can continue looking into why you got that in your log?
 [2014-05-12 13:00 UTC] ab@php.net
-Status: Feedback +Status: Not a bug
 [2014-05-12 13:00 UTC] ab@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

@hg, as @requinix mentioned, IPs only matter on TCP level. Any IP information is available after the TCP exchange and can't be affected neither by PHP, nor by any web server, nor by anything else on your server. Furthermore - an IP iddress can theoretically be spoofed, especially from the LAN. Here you can read more about it,

http://stackoverflow.com/questions/4773969/is-it-safe-to-trust-serverremote-addr

So after all, it lays on much deeper level than PHP. The client IP is as reliable as the infrastructure/environment is.

Thanks
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 03:01:28 2024 UTC