Menu
I have a situation where I am opening a file based on the $_SERVER['REMOTE_USER'] variable. I don't think this is spoof-able but would just like to confirm. I do not want to make myself vulnerable to the reading of arbitrary files:
<?
$user = $_SERVER['REMOTE_USER'];
$fp = fopen("./$user.png","r");
?>
898
But given your code you might actually be more interested if the value in $_SERVER ['REMOTE_ADDR'] could be spoofed. While most assume that this is the source IP address of the client it can actually be different from the real source IP of the HTTP connection and it might even be manipulable by an attacker.
HTTP is a protocol on top of TCP and doing IP spoofing with TCP is nearly impossible due to the internals of the protocol.
YOU send TCP SYN with spoofed IP. SERVER responds with SYN-ACK to that IP and waits for an ACK, Data packet back from that IP. End of conversation! Your TCP stack would only send the SYN packet and the remote system would attempt to send an SYN-ACK packet back to the spoofed IP you sent.
As I understand it, REMOTE_ADDR is the address of the client that the server is talking to - so spoofing that variable (if possible) might allow someone to send data to the server but the spoofer would not be able to read data returned from the server.
Yes, that username is whatever is specified by the remote user.
You need to verify password as well. If password is verified by your server, and not your application, then you are probably okay.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
