Welcome, Guest!!
follow us on... rss

Author Topic: NRIP in the database?  (Read 5783 times)

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
NRIP in the database?
« on: May 26, 2009, 05:09:22 PM »
Mike,
Was testing the integration of the SBST into Coppermine, and noticed BotScout was blocking it, even though I was using an internal IP (in the 192.168.x range), so checked, and you seem to have some NRIP IP's in the database?

http://www.botscout.com/search.htm?sterm=192.168.0.&stype=q
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: NRIP in the database?
« Reply #1 on: May 26, 2009, 07:17:27 PM »
Yep....they spoofed their IP address. The IPs come straight from the REMOTE_ADDR var. After a little research, I found this (one of many):

======================================
REMOTE_ADDR and REMOTE_HOST not safe for use in security

There was some discussion today on CF-Talk about using CGI variables to secure an application and some confusion as to which CGI variables can be spoofed and if some are safe. Particularly thereís interest in blocking out specific IP addresses from accessing a web-application.

After some testing, I confirmed that even REMOTE_ADDR, the clientís IP address, and REMOTE_HOST, the clientís host name, can be spoofed very easily. ColdFusion can do this with the CFHTTP and CFHTTPPARAM tags and Iím sure other tools are available.

These spoofs worked with JRunís built-in web server and through IIS. Iíve also spoofed REMOTE_HOST previously with an iPlanet installation to demonstrate poor security in a clientís application.

So if youíre thinking about using CGI variables to secure a site, you need to think again. If you need to secure by IP address, then do it at the router and not in application code.

http://rewindlife.com/2004/04/20/remote_addr-and-remote_host-not-safe-for-use-in-security/
======================================

So, I dunno....I guess I can remove those entries if you think they should be taken out.

Clearly they aren't real IPs, but then again, if that's what the remote client is reporting then we *know* that they're spoofing 'em, right? The only exception to this would be when someone is doing local testing like you were.

Whaddya think?




Mike,
Was testing the integration of the SBST into Coppermine, and noticed BotScout was blocking it, even though I was using an internal IP (in the 192.168.x range), so checked, and you seem to have some NRIP IP's in the database?

http://www.botscout.com/search.htm?sterm=192.168.0.&stype=q
Please don't PM me for assistance- post your questions in the forum where others can see them.

MysteryFCM

  • Moderator
  • Full Member
  • *****
  • Posts: 200
    • View Profile
    • I.T. Mate
Re: NRIP in the database?
« Reply #2 on: May 26, 2009, 07:36:34 PM »
The only time it's an issue is as you said, when we're testing, so I can easily filter that out if I have to :)
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net