24 Replies Latest reply on Aug 30, 2009 2:16 PM by -==cfSearching==-

    #CGI.REMOTE_ADDR#  sql injection?

    nikos101 Level 2
      Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
        • 1. Re: #CGI.REMOTE_ADDR#  sql injection?
          Level 7
          easily, but these days it is spoofed to run sql injection attacks only
          by amatures - pros use 'bot armies' to run massive-scale sql injection
          attacks, when spoofing anything is not needed since it is infected
          machines of unsuspecting users that are executing the sql injection
          attacks; the 'generals' stay in the shade and reap the rewards...

          Azadi Saryev
          Sabai-dee.com
          http://www.sabai-dee.com/
          • 2. Re: #CGI.REMOTE_ADDR#  sql injection?
            Level 7
            nikos101 wrote:
            > Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?

            Yes, CGI variables can be spoofed. Anything received from another
            computer can be spoofed. Yes it can be used to do sql injection if you
            are using CGI variables inside of unparameterized SQL code. I.E.
            without <cfqueryparam...> tags.
            • 3. Re: #CGI.REMOTE_ADDR#  sql injection?
              Level 7
              for some reason i read the OP's question differently and didn't think of
              that aspect of spoofing cgi.remote_address... your answer now makes the
              original question make more sense to me...

              Azadi Saryev
              Sabai-dee.com
              http://www.sabai-dee.com/
              • 4. Re: #CGI.REMOTE_ADDR#  sql injection?
                Level 7
                nikos101 wrote:
                > Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?

                No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
                server and not by the client (client set headers have HTTP_ as a prefix).

                --
                Mack
                • 5. Re: #CGI.REMOTE_ADDR#  sql injection?
                  Level 7
                  Mack wrote:
                  > nikos101 wrote:
                  >> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
                  >
                  > No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
                  > server and not by the client (client set headers have HTTP_ as a prefix).
                  >

                  Yes it is set by the web server. The spoofing comes in that the hacker
                  uses his own web server to set these variables as he desires to work
                  over your site.

                  http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11

                  • 6. Re: #CGI.REMOTE_ADDR#  sql injection?
                    Level 7
                    Ian Skinner wrote:
                    > Mack wrote:
                    >> nikos101 wrote:
                    >>> Could #CGI.REMOTE_ADDR# be spoofed to do sql injection?
                    >>
                    >> No, I don't think CGI.REMOTE_ADDR can be spoofed as it's set by the web
                    >> server and not by the client (client set headers have HTTP_ as a prefix).
                    >>
                    >
                    > Yes it is set by the web server. The spoofing comes in that the hacker
                    > uses his own web server to set these variables as he desires to work
                    > over your site.
                    >
                    > http://www.12robots.com/index.cfm/2008/12/9/Spoofing-CGI-variables--Security-Series-11

                    CGI.HTTP_* variables are set by the client and their content should be
                    treated as untrusted input. CGI.REMOTE_ADDR (and others like
                    CGI.SCRIPT_NAME, CGI.PATH_INFO) are set by the web server that connects
                    to the CF application instance so I'm pretty sure that they cannot be
                    spoofed.

                    Here's a quick test file (adapted from the link you provided) which
                    shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:

                    <cfif StructKeyExists(Url, "g")>
                    <cfdump var="#CGI.REMOTE_ADDR#">
                    <cfdump var="#cgi#">
                    <cfdump var="#GetHTTPRequestData()#">
                    <cfelse>
                    <cfhttp method="get" url=" http://#CGI.SERVER_NAME#/#CGI.SCRIPT_NAME#?g"
                    result="myVar">
                    <cfhttpparam type="header" name="Referer"
                    value=" http://www.google.com/search?q=coming+from+google">

                    <cfhttpparam type="header" name="REMOTE_HOST" value="71.244.78.2">
                    <cfhttpparam type="header" name="HTTP_REMOTE_HOST"
                    value="71.244.78.2">
                    <cfhttpparam type="header" name="REMOTE_ADDR" value="71.244.78.2">
                    <cfhttpparam type="header" name="HTTP_REMOTE_ADDR"
                    value="71.244.78.2">
                    </cfhttp>

                    <cfoutput>#myVar.FileContent#</cfoutput>
                    </cfif>

                    --
                    Mack
                    • 7. Re: #CGI.REMOTE_ADDR#  sql injection?
                      Level 7
                      > Here's a quick test file (adapted from the link you provided) which
                      > shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:

                      ... using that technique, anyhow.

                      One could manually construct or alter the TCP/IP packets and change the
                      address they're coming from.

                      But, to be honest, if someone's that dedicated to hacking your system,
                      there'll probably find a way.

                      Personally, I would never trust the veracity of a HTTP_ prefixed CGI
                      variables for the reasons under discussion here, but I don't really feel
                      very concerned about the possibilities of someone hacking CGI.remote_addr.

                      For the purposes of securing forms, I'd just set a session variable on the
                      form-display page, and check the session varibale on the form-action page.

                      I situations that need to be very very secure, I'd secure the app at
                      operating system level, and consider what level of external access is
                      appropriate. The only truely secure server is one that's in a locked room
                      and not connected to anything, after all ;-)

                      --
                      Adam
                      • 8. Re: #CGI.REMOTE_ADDR#  sql injection?
                        Level 7
                        from what i have read, it is pretty trivial to fake cgi.remote_addr on a
                        linux system using direct socket & tcp/ip programming.
                        not many people would go to even that extent because faking/spoofing
                        cgi.remote_addr was usually intended to hide the originating ip - and
                        with anonymous and real proxies abound now this has become redundant.

                        on the other hand, faking/spoofing remote_addr to gain access to an
                        application or to execute malicious code - that's different. but it is
                        known that not many software apps rely on remote_addr - it is used
                        mostly in allowing remote admin of hardware devices like router for
                        instance.

                        but i guess with the late increase in sqli attacks, and many posts on
                        the subject mentioning code to log remote ip, it may be the next thing
                        those &^$^$%# &^%^$^% employ now that every second app is going to be
                        inserting remote ip address into db....

                        to be on the side of caution maybe just log it to a text file instead...

                        sorry, a bit of a wild rant, but then again it is wednesday evening here
                        and the beer is flowing...


                        Azadi Saryev
                        Sabai-dee.com
                        http://www.sabai-dee.com/
                        • 9. Re: #CGI.REMOTE_ADDR#  sql injection?
                          Level 7
                          did i sense a bit of that "great minds" thing you had with Ian on that
                          other thread here?...

                          i surely hope so... :)

                          Azadi Saryev
                          Sabai-dee.com
                          http://www.sabai-dee.com/
                          • 10. Re: #CGI.REMOTE_ADDR#  sql injection?
                            Level 7
                            Adam Cameron wrote:
                            >> Here's a quick test file (adapted from the link you provided) which
                            >> shows that you cannot spoof REMOTE_ADDR or REMOTE_HOST:
                            >
                            > .... using that technique, anyhow.
                            >
                            > One could manually construct or alter the TCP/IP packets and change the
                            > address they're coming from.

                            I'm pretty sure you can't spoof the source IP address when using the TCP
                            protocol in the general case because of the 3-way handshake of TCP. UDP
                            is pretty trivial to spoof (unless the ISP filters outbound packets with
                            incorrect IP source addresses).

                            > But, to be honest, if someone's that dedicated to hacking your system,
                            > there'll probably find a way.
                            >
                            > Personally, I would never trust the veracity of a HTTP_ prefixed CGI
                            > variables for the reasons under discussion here, but I don't really feel
                            > very concerned about the possibilities of someone hacking CGI.remote_addr.

                            That's basically my opinion also: HTTP_* should be treated as untrusted
                            input, CGI.REMOTE_ADDR is safe (unless the attacker has control of your
                            web server - but at this point you have bigger problems).

                            > For the purposes of securing forms, I'd just set a session variable on the
                            > form-display page, and check the session varibale on the form-action page.

                            This the one way to protect against CSRF attacks for example.

                            --
                            Mack
                            • 11. Re: #CGI.REMOTE_ADDR#  sql injection?
                              Level 7
                              Azadi wrote:
                              > from what i have read, it is pretty trivial to fake cgi.remote_addr on a
                              > linux system using direct socket & tcp/ip programming.

                              Unless the attacker is on the web server this will not work because of
                              the TCP handshake (the TCP connection is not fully established until the
                              final ACK from the client to the server - if the client spoofs it's IP
                              address then the server will send the SYN-ACK packet to the wrong computer).

                              Spoofing Referer is trivial. Spoofing Remote_addr is not possible in
                              99.99% of the cases (one way to spoof REMOTE_ADDR is to custom build the
                              web server if you have access to the source - for example Apache).

                              --
                              Mack
                              • 12. Re: #CGI.REMOTE_ADDR#  sql injection?
                                Level 7
                                apparently, on a server running linux/bsd it is pretty trivial to tinker
                                with tcp and fake remote_addr... NOT on a shared linux server, but
                                dedicated linux servers (or barebones) are a dime a dozen now, compared
                                to before...

                                (disclaimer: this is all from just browsing mailing lists'
                                archives/forums/blackhat wikis... not that i have any experience
                                myself... but seen a lot of posts with full perl/python scripts to
                                fake/spoof remote_addr on a server running linux/bsd....)

                                Azadi Saryev
                                Sabai-dee.com
                                http://www.sabai-dee.com/
                                • 13. Re: #CGI.REMOTE_ADDR#  sql injection?
                                  Level 7
                                  Azadi wrote:
                                  > apparently, on a server running linux/bsd it is pretty trivial to tinker
                                  > with tcp and fake remote_addr... NOT on a shared linux server, but
                                  > dedicated linux servers (or barebones) are a dime a dozen now, compared
                                  > to before...

                                  Do you have a link ? I'm genuinely interested in this.

                                  We might be talking about slightly different things here. You might be
                                  able to fake remote_addr when connecting to a web server on the same
                                  machine as the attacker. But if you're trying to connect to a remote web
                                  server from a server running linux/bsd you're bumping into TCP and it's
                                  3-way handshake which means spoofing over (unless you're a gateway
                                  machine and you're spoofing an IP from your own network).

                                  --
                                  Mack
                                  • 14. Re: #CGI.REMOTE_ADDR#  sql injection?
                                    Level 7
                                    let me try and dig it up... one sec...


                                    Azadi Saryev
                                    Sabai-dee.com
                                    http://www.sabai-dee.com/
                                    • 15. Re: #CGI.REMOTE_ADDR#  sql injection?
                                      Level 7
                                      here's one that was still buried in my ff history... is that any good?
                                      )i can't possibly tell now, sorry... way too many mohitos... :) )

                                      Azadi Saryev
                                      Sabai-dee.com
                                      http://www.sabai-dee.com/
                                      • 16. Re: #CGI.REMOTE_ADDR#  sql injection?
                                        Level 7
                                        Azadi wrote:
                                        > here's one that was still buried in my ff history... is that any good?
                                        > )i can't possibly tell now, sorry... way too many mohitos... :) )
                                        >
                                        Must be the mohitos, you did not post a link! ;-)
                                        • 17. Re: #CGI.REMOTE_ADDR#  sql injection?
                                          Level 7
                                          eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
                                          must be them b*&%&^%ds!
                                          here it is:
                                          http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-a ddress-without-proxy.html

                                          (just checked my tap and there are 8 of them already on it...
                                          thanks [cf] it's _MY_ bar!)


                                          Azadi Saryev
                                          Sabai-dee.com
                                          http://www.sabai-dee.com/
                                          • 18. Re: #CGI.REMOTE_ADDR#  sql injection?
                                            Level 7
                                            Azadi wrote:
                                            > eeeeeeeeeeeeeeeeehhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
                                            > must be them b*&%&^%ds!
                                            > here it is:
                                            > http://www.blackhatworld.com/blackhat-seo/black-hat-seo/34772-simple-method-fake-your-ip-a ddress-without-proxy.html

                                            Well, that method sends a bogus "X-Forwarded-For" header
                                            ("HTTP-X-Forwarded-For" in CF) but REMOTE_ADDR would still contain the
                                            IP address of the computer that sent the request (it's just that some
                                            application choose to trust input that should not be trusted and assume
                                            the data in X-Forwarded-For is safe).

                                            --
                                            Mack
                                            • 19. Re: #CGI.REMOTE_ADDR#  sql injection?
                                              Level 7
                                              i shall investigate this when i am more sober than right now... :)
                                              if i can dig out the link i found before i shall post it the same instant...

                                              Azadi Saryev
                                              Sabai-dee.com
                                              http://www.sabai-dee.com/
                                              • 20. Re: #CGI.REMOTE_ADDR#  sql injection?
                                                Level 7
                                                >> the beer is flowing...

                                                > sorry... way too many mohitos... :) )

                                                Man. I would not want to be your head tomorrow.

                                                --
                                                Adam
                                                • 21. Re: #CGI.REMOTE_ADDR#  sql injection?
                                                  Kronin555 Level 1
                                                  Funny. One of the posts in that thread states:
                                                  "There are some CGI-exploits that can spoof $_SERVER['REMOTE_ADDR'] but only for coldfusion, and coldfusion isn't that popular [used, preferred] on the majority of the internet websites."

                                                  which is exactly what we're discussing here. Outside of doing packet-level spoofing (very non-trivial, and whoever was doing the spoofing would _have_ to be able to get the response in order to complete the handshake, which means he'd have something on at least the same subnet as the IP he was spoofing), or having a different web server front-end your coldfusion server (in which case you have bigger problems), or the hacker having access to your server (again, in which case you have bigger problems), I don't see a way to spoof CGI.REMOTE_ADDR. As has already been said, any HTTP_xxxx values are suspect and very trivial to spoof.
                                                  • 22. Re: #CGI.REMOTE_ADDR#  sql injection?
                                                    nikos101 Level 2
                                                    Wow just sat down to read this thread, its gonna take me a while to get my head rounds all this.

                                                    Thanks very much so far :)
                                                    • 23. Re: #CGI.REMOTE_ADDR#  sql injection?
                                                      BKBK Adobe Community Professional & MVP

                                                      Something else just caught my eye. Azadi, your 237, 923 posts since Jan 1 1999 makes it 60 posts per day, every day of the year, for more than 10 years !

                                                       

                                                      Something just doesn't add up. This might be something for the webmaster to look at.

                                                      • 24. Re: #CGI.REMOTE_ADDR#  sql injection?
                                                        -==cfSearching==- Level 4

                                                        BKBK wrote:

                                                         

                                                        Something else just caught my eye. Azadi, your 237, 923 posts since Jan 1 1999

                                                         

                                                        The old forums must have lumped all newgroup posts under the same user account. The mighty "Newsgroup_User" is quite the prolific poster ;-)