Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix for #524
usually, ip addresses with multiple failed login attempts should be
blocked. An attacker could bypass this by sending an X-forwarded-for
header and change that IP with each attempt. Since REMMOTE_ADDR
is harder to fake we should first check that one and only if that one is
not set for some reason, rely on other variables.
  • Loading branch information
mrbaseman committed Nov 13, 2022
1 parent 7320043 commit d394ba3
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions wbce/framework/class.login.php
Expand Up @@ -410,8 +410,13 @@ public function increase_attempts($increment = 1)
*/
private function get_client_ip()
{
$ipaddress = '';
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipaddress = '';
// for security reasons first check remote_addr which is more difficult to fake:
if (isset($_SERVER['REMOTE_ADDR'])) {
$ipaddress = $this->get_server('REMOTE_ADDR');
} elseif (getenv('REMOTE_ADDR')) {
$ipaddress = getenv('REMOTE_ADDR');
} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ipaddress = $this->get_server('HTTP_CLIENT_IP');
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ipaddress = $this->get_server('HTTP_X_FORWARDED_FOR');
Expand All @@ -421,8 +426,6 @@ private function get_client_ip()
$ipaddress = $this->get_server('HTTP_FORWARDED_FOR');
} elseif (isset($_SERVER['HTTP_FORWARDED'])) {
$ipaddress = $this->get_server('HTTP_FORWARDED');
} elseif (isset($_SERVER['REMOTE_ADDR'])) {
$ipaddress = $this->get_server('REMOTE_ADDR');
} elseif (getenv('HTTP_CLIENT_IP')) {
$ipaddress = getenv('HTTP_CLIENT_IP');
} elseif (getenv('HTTP_X_FORWARDED_FOR')) {
Expand All @@ -433,8 +436,6 @@ private function get_client_ip()
$ipaddress = getenv('HTTP_FORWARDED_FOR');
} elseif (getenv('HTTP_FORWARDED')) {
$ipaddress = getenv('HTTP_FORWARDED');
} elseif (getenv('REMOTE_ADDR')) {
$ipaddress = getenv('REMOTE_ADDR');
} else {
$ipaddress = 'UNKNOWN';
}
Expand Down

0 comments on commit d394ba3

Please sign in to comment.