The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
N/A
Threat Mapped score: 1.8
Industry: Finiancial
Threat priority: P4 - Informational (Low)
CVE: CVE-2001-0860
Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
CVE: CVE-2004-1950
Web product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
CVE: CVE-2001-0908
Product logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
CVE: CVE-2006-1126
PHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.
| Phase | Note |
|---|---|
| Architecture and Design | N/A |
| Implementation | N/A |
Intro: This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.
Body: The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page.
$requestingIP = '0.0.0.0'; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $requestingIP = $_SERVER['HTTP_X_FORWARDED_FOR']; else{ $requestingIP = $_SERVER['REMOTE_ADDR']; } if(in_array($requestingIP,$ipAllowlist)){ generatePage(); return; } else{ echo "You are not authorized to view this page"; return; }