On Thu, 7 Dec 2006, Joshua Slive wrote:
On 12/7/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> still, i think even REMOTE_ADDR could be spoofed easily couldn't it?
>
> No, it is determined directly from the TCP/IP connection information
which
> cannot be (easily) spoofed. The Client-IP is simply a request header
which
> the client (or proxy) completely controls.
ok. i'm understanding correclty then - spoofing remote_addr would most
likely
involve packet wrapping. i'm not sure that would be consider 'hard' - but
it
is indeed harder than setting headers.
I'm not sure what you mean by "packet wrapping". But in general, it
is hard to lie about the source IP address if you want to get a
response from the server and are not on the same local network. (It
is much easier if you are just doing a denial of service attack and
hence don't care if you ever see a response.)
understood. since the last post i've verified that sending the client_ip via
curl --header "CLIENT_IP: an_internal_ip" uri
does not, in fact subvert the security. i'm not sure the mechanism, but i can
set new http_* headers but not over-write any existing ones via a client - or
so it seems.
regards.
-a
--
if you want others to be happy, practice compassion.
if you want to be happy, practice compassion. -- the dalai lama
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
