Page 1 of 1

Displaying the TRUE ip address

Posted: Thu May 17, 2007 8:53 am
by voyager1337
I've noticed the IP system is bobbins and only gives the proxy (if they use one) so is their a mod which allows you to see the real IP ?

Re: Displaying the TRUE ip address

Posted: Thu May 17, 2007 11:06 am
by ric323
You can do this, but it does allow some knowlegable people to deliberately fake their IP address.

OPEN common.php

FIND

Code: Select all

// Obtain and encode users IP
//
// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
// private range IP's appearing instead of the guilty routable IP, tough, don't
// even bother complaining ... go scream and shout at the idiots out there who feel
// "clever" is doing harm rather than good ... karma is a great thing ... :)
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
$user_ip = encode_ip($client_ip);
REPLACE WITH

Code: Select all

//
// Obtain and encode users IP
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

	$entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
	reset($entries);
	while (list(, $entry) = each($entries)) 
	{
		$entry = trim($entry);
		if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
		{
			$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
			$found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);

			if ($client_ip != $found_ip)
			{
				$client_ip = $found_ip;
				break;
			}
		}
	}
}
else
{
	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);

Re: Displaying the TRUE ip address

Posted: Thu May 17, 2007 12:14 pm
by voyager1337
That did the trick ric323 thanks. I've got a consistant troll who has been using proxies to hide

Re: Displaying the TRUE ip address

Posted: Thu May 17, 2007 12:32 pm
by zeroK
Note that it depends on the proxy whether or not it even allows you to determine the users' IPs since the X_FORWARDED_FOR header is not really mandatory.

Re: Displaying the TRUE ip address

Posted: Thu May 17, 2007 2:35 pm
by voyager1337
Will V3 RC need a mod to get the true IP or has this been taken care of ?

Re: Displaying the TRUE ip address

Posted: Sun Nov 11, 2007 12:10 am
by dsustaita
It looks like for phpBB3, the file is session.php in the includes folder and not in the common.php file anymore. Its around line 210 or so.

Re: Displaying the TRUE ip address

Posted: Sun Nov 11, 2007 4:09 pm
by GeneXian
I made a test page to see if there is a difference between my IP address and my "real IP address".

I took the code you have above and added the encode_ip function from functions.php

Code: Select all

<?php
{
$ip=$_SERVER['REMOTE_ADDR'];
}

//
// Obtain and encode users IP

function encode_ip($dotquad_ip)
{
	$ip_sep = explode('.', $dotquad_ip);
	return sprintf('%02x%02x%02x%02x', $ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3]);
}

if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
   $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

   $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
   reset($entries);
   while (list(, $entry) = each($entries))
   {
      $entry = trim($entry);
      if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
      {
         $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
         $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);

         if ($client_ip != $found_ip)
         {
            $client_ip = $found_ip;
            break;
         }
      }
   }
}
else
{
   $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);

?>
<html>
<head><title></title></head>
<body>
<?php
echo "IP Address= $ip<br>";
echo "Real IP Address= $user_ip";  
?>
</body>

</html>
The results I get are:

IP Address= x.x.x.x (removed to protect the innocent)
Real IP Address= xxxxxxxxx <--- nothing close to the IP address above

Re: Displaying the TRUE ip address

Posted: Sun Nov 11, 2007 4:12 pm
by karlsemple
??????? is actually the phpbb hex code for the IP of ???????? remember that phpBB stores a hex encoded representation of the IP and not the actual ip address

voyager1337 wrote:Will V3 RC need a mod to get the true IP or has this been taken care of ?

There is no way of getting the real IP from a proxy, you are relying on the proxy itself to forward the true IP and as mentioned above they are not obliged to do this and often report false IP's anyway. Not to mention the HTTP_X_FORWARDED_FOR can be easily spoofed :)

Re: Displaying the TRUE ip address

Posted: Sun Nov 11, 2007 9:51 pm
by ric323
karlsemple wrote:... Not to mention the HTTP_X_FORWARDED_FOR can be easily spoofed :)
Which is obviously the reason why this code was remove from phpBB in the first place. You need to be very aware of this possibility if you intend to use it anyway. That's why I said:
ric323 wrote:but it does allow some knowlegable people to deliberately fake their IP address.
in my first reply.