php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #66676 $_SERVER['REMOTE_ADDR'] insecure
Submitted: 2014-02-09 06:12 UTC Modified: 2014-05-12 13:00 UTC
From: hj at BridgeportContractor dot com Assigned:
Status: Not a bug Package: Apache related
PHP Version: 5.4.25 OS: windows 7, x64 and *nix
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2014-02-09 06:12 UTC] hj at BridgeportContractor dot com 
Description:
------------
REMOTE_ADDR is not to be trusted.  

Can you get the server's IP from the tcp exchange rather than from the http exchange?

I recently logged '183.60..244.37' from $_SERVER['REMOTE_ADDR'] from an attack http request on my hosing server.  This is clearly not a valid IP address.  A little research and I have found that others too say to not trust REMOTE_ADDR from $_SERVER in php.  

I think PHP needs a trustworthy replacement, as this is the only way to log http accesses.

See also: http://serverfault.com/questions/574239/double-dots-in-otherwise-valid-ip4-addreses-e-g-183-60-244-37/574245?noredirect=1#comment669478_574245

Thanks for all of your work guys.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-09 06:34 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2014-02-09 06:34 UTC] requinix@php.net 
1. REMOTE_ADDR comes through CGI. PHP does not determine its value.
2. It does, in fact, come from "the TCP exchange" and not "the HTTP exchange".
3. I don't know where you're looking but *I* am seeing people confirm that it is safe. It can be forged to varying degrees of usability, and that may be the untrustworthiness you've heard about, but the value is inherently a valid IPv4/6 address.

So I'm going to mark this as needing feedback and you can continue looking into why you got that in your log?
 [2014-05-12 13:00 UTC] ab@php.net
-Status: Feedback +Status: Not a bug
 [2014-05-12 13:00 UTC] ab@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

@hg, as @requinix mentioned, IPs only matter on TCP level. Any IP information is available after the TCP exchange and can't be affected neither by PHP, nor by any web server, nor by anything else on your server. Furthermore - an IP iddress can theoretically be spoofed, especially from the LAN. Here you can read more about it,

http://stackoverflow.com/questions/4773969/is-it-safe-to-trust-serverremote-addr

So after all, it lays on much deeper level than PHP. The client IP is as reliable as the infrastructure/environment is.

Thanks
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 05:01:27 2024 UTC