|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38248 PHP ip2long() function circumvention
Submitted: 2006-07-29 09:04 UTC Modified: 2006-07-29 15:11 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: rgod at autistici dot org Assigned:
Status: Not a bug Package: *Network Functions
PHP Version: 5.1.4 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: rgod at autistici dot org
New email:
PHP Version: OS:


 [2006-07-29 09:04 UTC] rgod at autistici dot org
--- PHP ip2long() function circumvention --------------------------------------

tested on php 5.0.2
	   "  4.3.3
after some test on miniBB application ( I obtained that
the php ip2long() function can be tricked to return a valid IPv4 Internet
network address instead of "-1" even if the ip address argument is not a valid
one, through the injection of some chars, ex:

 for ($i=0; $i<=255; $i++)
  echo $i.":".ip2long("".chr($i)."'or'a'='a'/*")."\r\n";

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)

it gives the following (valid) result:


in minibb case this could result in sql injection, forging an header like this:


or even like this:


(however Minibb limit the string to 15 chars so you will have an unuseful twelve
chars sql injection...)
also remember that HTTP headers is not filtered by PHP magic_quotes_gpc, so this
could give an attacker the way to fully compromise an application

code taken from MiniBB 2.0
index.php, 248-264
/* Banned IPs/IDs stuff */
$thisIp=getIP();                      <--------------------- here $thisIp becomes our sql code
$cen=explode('.', $thisIp);

if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){
else {

if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is passed to the db_ipCheck() function
$title=$sitename." :: ".$l_accessDenied;
echo ParseTpl(makeUp('main_access_denied')); exit;

bb_functions.php, near lines 123-131
function getIP(){
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code
return $finalIP;


setup_mysql.php, near lines 99-105:

function db_ipCheck($thisIp,$thisIpMask,$user_id){
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;

1.05 29/07/2006


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-29 09:06 UTC] rgod at autistici dot org
confirmed even on 5.1.4
 [2006-07-29 15:11 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

inet_addr() is not binary safe.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 10 15:01:23 2021 UTC