Skip to content

Commit

Permalink
fix for #524
Browse files Browse the repository at this point in the history
usually, ip addresses with multiple failed login attempts should be
blocked. An attacker could bypass this by sending an X-forwarded-for
header and change that IP with each attempt. Since REMMOTE_ADDR
is harder to fake we should first check that one and only if that one is
not set for some reason, rely on other variables.
  • Loading branch information
mrbaseman committed Nov 13, 2022
1 parent 7320043 commit d394ba3
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions wbce/framework/class.login.php
Original file line number Diff line number Diff line change
Expand Up @@ -410,8 +410,13 @@ public function increase_attempts($increment = 1)
*/
private function get_client_ip()
{
$ipaddress = '';
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipaddress = '';
// for security reasons first check remote_addr which is more difficult to fake:
if (isset($_SERVER['REMOTE_ADDR'])) {
$ipaddress = $this->get_server('REMOTE_ADDR');
} elseif (getenv('REMOTE_ADDR')) {
$ipaddress = getenv('REMOTE_ADDR');
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipaddress = $this->get_server('HTTP_CLIENT_IP');
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipaddress = $this->get_server('HTTP_X_FORWARDED_FOR');
Expand All @@ -421,8 +426,6 @@ private function get_client_ip()
$ipaddress = $this->get_server('HTTP_FORWARDED_FOR');
} elseif (isset($_SERVER['HTTP_FORWARDED'])) {
$ipaddress = $this->get_server('HTTP_FORWARDED');
} elseif (isset($_SERVER['REMOTE_ADDR'])) {
$ipaddress = $this->get_server('REMOTE_ADDR');
} elseif (getenv('HTTP_CLIENT_IP')) {
$ipaddress = getenv('HTTP_CLIENT_IP');
} elseif (getenv('HTTP_X_FORWARDED_FOR')) {
Expand All @@ -433,8 +436,6 @@ private function get_client_ip()
$ipaddress = getenv('HTTP_FORWARDED_FOR');
} elseif (getenv('HTTP_FORWARDED')) {
$ipaddress = getenv('HTTP_FORWARDED');
} elseif (getenv('REMOTE_ADDR')) {
$ipaddress = getenv('REMOTE_ADDR');
} else {
$ipaddress = 'UNKNOWN';
}
Expand Down

0 comments on commit d394ba3

Please sign in to comment.