From d394ba39a7bfeb31eda797b6195fd90ef74b2e75 Mon Sep 17 00:00:00 2001 From: Martin Hecht Date: Sun, 13 Nov 2022 22:15:25 +0100 Subject: [PATCH] fix for #524 usually, ip addresses with multiple failed login attempts should be blocked. An attacker could bypass this by sending an X-forwarded-for header and change that IP with each attempt. Since REMMOTE_ADDR is harder to fake we should first check that one and only if that one is not set for some reason, rely on other variables. --- wbce/framework/class.login.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/wbce/framework/class.login.php b/wbce/framework/class.login.php index 8cee71868..325fa2643 100644 --- a/wbce/framework/class.login.php +++ b/wbce/framework/class.login.php @@ -410,8 +410,13 @@ public function increase_attempts($increment = 1) */ private function get_client_ip() { - $ipaddress = ''; - if (isset($_SERVER['HTTP_CLIENT_IP'])) { + $ipaddress = ''; + // for security reasons first check remote_addr which is more difficult to fake: + if (isset($_SERVER['REMOTE_ADDR'])) { + $ipaddress = $this->get_server('REMOTE_ADDR'); + } elseif (getenv('REMOTE_ADDR')) { + $ipaddress = getenv('REMOTE_ADDR'); + } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $ipaddress = $this->get_server('HTTP_CLIENT_IP'); } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ipaddress = $this->get_server('HTTP_X_FORWARDED_FOR'); @@ -421,8 +426,6 @@ private function get_client_ip() $ipaddress = $this->get_server('HTTP_FORWARDED_FOR'); } elseif (isset($_SERVER['HTTP_FORWARDED'])) { $ipaddress = $this->get_server('HTTP_FORWARDED'); - } elseif (isset($_SERVER['REMOTE_ADDR'])) { - $ipaddress = $this->get_server('REMOTE_ADDR'); } elseif (getenv('HTTP_CLIENT_IP')) { $ipaddress = getenv('HTTP_CLIENT_IP'); } elseif (getenv('HTTP_X_FORWARDED_FOR')) { @@ -433,8 +436,6 @@ private function get_client_ip() $ipaddress = getenv('HTTP_FORWARDED_FOR'); } elseif (getenv('HTTP_FORWARDED')) { $ipaddress = getenv('HTTP_FORWARDED'); - } elseif (getenv('REMOTE_ADDR')) { - $ipaddress = getenv('REMOTE_ADDR'); } else { $ipaddress = 'UNKNOWN'; }