 
Bugtraq mailing list archives
Re: Problem With IP Logging In Invision Power Board?
From: Brian Dessent <brian () dessent net>
Date: Wed, 16 Jun 2004 19:03:58 -0700
GulfTech Security wrote:
IPB like many other forum systems logs visitors IP's However I have noticed in the past that people who are surfing through some proxies have their internal (private) IP logged instead of their "real" IP Address. Here are a few screenshots I took of my LAN IP being logged instead of my internet IP. http://images.gulftech.org/ipb_1.png http://images.gulftech.org/ipb_2.png As far as I can tell it is using the X_FORWARDED_FOR IP, which might be a good thing as it could get the IP of a person using a non anonymous proxy or the like to cause some mischief, but it should definitely check for private IP's and if it finds one present go with the REMOTE_ADDR IP instead, or something different because IP's of private networks are pretty much useless to admins etc. I have not taken time to look at the code responsible for this behavior, but I did contact Invision a while back and was basically told to purchase a license if I wanted technical support. hmmmmm, great response :P BTW, the particular IPB version I have experienced this behavior on is the latest 1.3 release.
Yes, IPB trusts that header more than it should. It's not so much a bug but rather an extremely poor design decision. One one hand it means that *some* cases of someone using a proxy will be revealed, but on the other hand it means that anyone with the appropriate knowledge can stick anything in that field, rendering the logs completely worthless and untrustable. For example: wget --header="X-Forwarded-For: 0.0.0.0" http://example.com/board/index.php The end user can insert any IP address he wishes into the IPB logs for all of his actions, and IPB dutifully records it. People seem to forget that all HTTP headers are user-supplied data. Brian
Current thread:
- Problem With IP Logging In Invision Power Board? GulfTech Security (Jun 16)
- Re: Problem With IP Logging In Invision Power Board? Brian Dessent (Jun 18)
 


