Hi guys, Quick question here as my site can be hacked via xss through this x_forwarded_for and client_ip below. How can this be done? function getUsersIP() { if (isset($_SERVER)) { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) return $_SERVER["HTTP_X_FORWARDED_FOR"]; if (isset($_SERVER["HTTP_CLIENT_IP"])) return $_SERVER["HTTP_CLIENT_IP"]; return $_SERVER["REMOTE_ADDR"]; } if (getenv('HTTP_X_FORWARDED_FOR')) return getenv('HTTP_X_FORWARDED_FOR'); if (getenv('HTTP_CLIENT_IP')) return getenv('HTTP_CLIENT_IP'); return getenv('REMOTE_ADDR'); }
X-Forwarded-For and Client-IP are parameters of HTTP query. All these parameters may be fake. Example of HTTP query: GET / HTTP/1.0 Host: somesite.com Referer: httx://anylink.com/ Cookie: var1=val1&var2=val2 User-Agent: Mozilla/5.0 (compatible; eVuln bot/1.0) X-Forwarded-For: 123.123.123.123 Values of Referer, Cookie, User-Agent, X-Forwarded-For (and other) may be replaced by arbitrary STRING including xss and sql-injections. You can generate and send such queries using one of my tools from my site (tool name "web security testing"). Regards.