Bogdan Tomchuk wrote:
http://fr.php.net/manual/en/reserved.variables.php#reserved.variables.server:
"The entries in this array are created by the webserver"
Indeed. The $_SERVER['REMOTE_ADDRESS'] is the exact output of the
inet_ntoa(sockaddr_in.sin_addr) of the remote end of the socket. It can
be spoofed, ofcourse, but that's out of PHP's reach and understanding.
As for me it does mean that what was written: copy of runtime array created
by server for each execution and if somebody has some way to inject any data
in $_SERVER it does mean that somebody has control on your server or there
is an error in your code.
Indeed. It's basically the equivalent of running the most secure code in
the world using a kernel the attacker emailed you.
On the other hand, if the webserver isn't compromised, the content of
sockaddr_in.sin_addr can't be anything but a legal IP-address, since the
request reached the server. Either way, you win or lose by default, so
don't bother washing it before you use it.
In the first case nothing will save you since this somebody can do, at
least, as much as you: execute any code with servers rights. Why to spend
time on injection if code could be executed directly?
In the second case speech is about the same: Why to spend time on injection
if code could be executed directly?
My question is now: is there any (known) way for a user to inject
arbitrary code
into this _SERVER global? (and thus execute this code on the server
with root permissions)
or am I not-to-unsafe to use it?
Should I perform some more checks on the $_SERVER['REMOTE_ADDR']
before using it as argument?
Thanks for the comments.
