Getting XSS attacks via Client_IP and Forwarded_for - How?

Hi guys, Quick question here as my site can be hacked via xss through this x_forwarded_for and client_ip below. How can this be done?

function getUsersIP()
{
if (isset($_SERVER))
{
if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
return $_SERVER["HTTP_X_FORWARDED_FOR"];

if (isset($_SERVER["HTTP_CLIENT_IP"]))
return $_SERVER["HTTP_CLIENT_IP"];

return $_SERVER["REMOTE_ADDR"];
}

if (getenv('HTTP_X_FORWARDED_FOR'))
return getenv('HTTP_X_FORWARDED_FOR');

if (getenv('HTTP_CLIENT_IP'))
return getenv('HTTP_CLIENT_IP');

return getenv('REMOTE_ADDR');
}

 

X-Forwarded-For and Client-IP are parameters of HTTP query. All these parameters may be fake.

Example of HTTP query:

GET / HTTP/1.0
Host: somesite.com
Referer: httx://anylink.com/
Cookie: var1=val1&var2=val2
User-Agent: Mozilla/5.0 (compatible; eVuln bot/1.0)
X-Forwarded-For: 123.123.123.123

Values of Referer, Cookie, User-Agent, X-Forwarded-For (and other) may be replaced by arbitrary STRING including xss and sql-injections.

You can generate and send such queries using one of my tools from my site (tool name "web security testing").

Regards.

 

if you have proper modsec rules , then you can protect your self and forget any XSS attacks