Displaying the TRUE ip address

voyager1337 · Post by **voyager1337** » Thu May 17, 2007 8:53 am

I've noticed the IP system is bobbins and only gives the proxy (if they use one) so is their a mod which allows you to see the real IP ?

ric323 · Post by **ric323** » Thu May 17, 2007 11:06 am

You can do this, but it does allow some knowlegable people to deliberately fake their IP address.

OPEN common.php

FIND

Code: Select all

// Obtain and encode users IP
//
// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
// private range IP's appearing instead of the guilty routable IP, tough, don't
// even bother complaining ... go scream and shout at the idiots out there who feel
// "clever" is doing harm rather than good ... karma is a great thing ... :)
//
$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
$user_ip = encode_ip($client_ip);

REPLACE WITH

Code: Select all

//
// Obtain and encode users IP
if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

	$entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
	reset($entries);
	while (list(, $entry) = each($entries)) 
	{
		$entry = trim($entry);
		if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
		{
			$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
			$found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);

			if ($client_ip != $found_ip)
			{
				$client_ip = $found_ip;
				break;
			}
		}
	}
}
else
{
	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);

voyager1337 · Post by **voyager1337** » Thu May 17, 2007 12:14 pm

That did the trick ric323 thanks. I've got a consistant troll who has been using proxies to hide

zeroK · Post by **zeroK** » Thu May 17, 2007 12:32 pm

Note that it depends on the proxy whether or not it even allows you to determine the users' IPs since the X_FORWARDED_FOR header is not really mandatory.

voyager1337 · Post by **voyager1337** » Thu May 17, 2007 2:35 pm

Will V3 RC need a mod to get the true IP or has this been taken care of ?

dsustaita · Post by **dsustaita** » Sun Nov 11, 2007 12:10 am

It looks like for phpBB3, the file is session.php in the includes folder and not in the common.php file anymore. Its around line 210 or so.

GeneXian · Post by **GeneXian** » Sun Nov 11, 2007 4:09 pm

I made a test page to see if there is a difference between my IP address and my "real IP address".

I took the code you have above and added the encode_ip function from functions.php

Code: Select all

<?php
{
$ip=$_SERVER['REMOTE_ADDR'];
}

//
// Obtain and encode users IP

function encode_ip($dotquad_ip)
{
	$ip_sep = explode('.', $dotquad_ip);
	return sprintf('%02x%02x%02x%02x', $ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3]);
}

if( getenv('HTTP_X_FORWARDED_FOR') != '' )
{
   $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

   $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
   reset($entries);
   while (list(, $entry) = each($entries))
   {
      $entry = trim($entry);
      if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
      {
         $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
         $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);

         if ($client_ip != $found_ip)
         {
            $client_ip = $found_ip;
            break;
         }
      }
   }
}
else
{
   $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
}
$user_ip = encode_ip($client_ip);

?>
<html>
<head><title></title></head>
<body>
<?php
echo "IP Address= $ip<br>";
echo "Real IP Address= $user_ip";  
?>
</body>

</html>

The results I get are:

IP Address= x.x.x.x (removed to protect the innocent)
Real IP Address= xxxxxxxxx <--- nothing close to the IP address above

karlsemple · Post by **karlsemple** » Sun Nov 11, 2007 4:12 pm

??????? is actually the phpbb hex code for the IP of ???????? remember that phpBB stores a hex encoded representation of the IP and not the actual ip address

voyager1337 wrote:Will V3 RC need a mod to get the true IP or has this been taken care of ?

There is no way of getting the real IP from a proxy, you are relying on the proxy itself to forward the true IP and as mentioned above they are not obliged to do this and often report false IP's anyway. Not to mention the HTTP_X_FORWARDED_FOR can be easily spoofed

ric323 · Post by **ric323** » Sun Nov 11, 2007 9:51 pm

karlsemple wrote:... Not to mention the HTTP_X_FORWARDED_FOR can be easily spoofed

Which is obviously the reason why this code was remove from phpBB in the first place. You need to be very aware of this possibility if you intend to use it anyway. That's why I said:

ric323 wrote:but it does allow some knowlegable people to deliberately fake their IP address.

in my first reply.