unique_id function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: unique_id function

Post by naderman » Sat Feb 02, 2008 10:35 pm

Not necessarily, you can spoof such stuff too.

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: unique_id function

Post by Nicholas the Italian » Sat Feb 02, 2008 11:03 pm

naderman wrote:Not necessarily, you can spoof such stuff too.
I must admit I find this quite surprising.
Even if I can fake someone else's IP (and this is news to me - at software level you mean?), I wouldn't receive any response packet, would I? Unless "accomplice" servers along the path deroute them towards me... but at this point I could do quite everything anyway...

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: unique_id function

Post by naderman » Sat Feb 02, 2008 11:25 pm

Yeah I wasn't thinking of simple spoofing, but rather rerouting packets to yourself by getting control over the victim's network in some form. Though I didn't want to go into detail on this topic, it's just generelly much safer the way unique_id works now as you can't attack it with any of these methods.

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: unique_id function

Post by Nicholas the Italian » Sun Feb 03, 2008 10:19 am

naderman wrote:rerouting packets to yourself by getting control over the victim's network in some form.
Well, at this point you can do a man-in-the-middle attack and do more or less whatever you want, whatever client-side and server-side security mechanisms you apply, unless you're running on SSL (I wonder how many forums run on https).
Just a thought, this said... well... do whatever you think it's safer! :lol:

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: unique_id function

Post by ElbertF » Sun Feb 03, 2008 12:58 pm

naderman wrote:simple spoofing
I have been wondering about this, is it possible to perform SQL-injection with a spoofed $_SERVER['REMOTE_ADDR'] global? I usually run it through addslashes() when I'm storing it in a DB, but is that even necessary? There's not much I can find about this on Google.

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: unique_id function

Post by naderman » Sun Feb 03, 2008 1:35 pm

Well that's not supposed to be possible, but I'm pretty sure there have been bugs which allowed this to happen with certain configurations of php and certain webservers, so better safe than sorry. That said, addslashes for SQL escaping is a very bad idea, you should rather use the correct escaping function for your database.

User avatar
Techie-Micheal
Registered User
Posts: 566
Joined: Sun Oct 14, 2001 12:11 am

Re: unique_id function

Post by Techie-Micheal » Sun Feb 03, 2008 1:40 pm

Nicholas the Italian wrote:
naderman wrote:rerouting packets to yourself by getting control over the victim's network in some form.
Well, at this point you can do a man-in-the-middle attack and do more or less whatever you want, whatever client-side and server-side security mechanisms you apply, unless you're running on SSL (I wonder how many forums run on https).
Just a thought, this said... well... do whatever you think it's safer! :lol:
MitM is still possible with SSL, just more difficult.

As for spoofing your IP address, you are correct, TCP requires a 3-way handshake, thus making it impossible to simply spoof your IP address and get results. And for REMOTE_ADDR, that's lower down the OSI model, rather than layer 7, so you can't really spoof that either. I don't know about PHP versions that are vulnerable as I think REMOTE_ADDR is grabbed down the stack, but with PHP, who knows. :D

ElbertF
Registered User
Posts: 583
Joined: Fri Dec 03, 2004 4:35 pm
Location: tracing..
Contact:

Re: unique_id function

Post by ElbertF » Sun Feb 03, 2008 4:25 pm

naderman wrote:[..] That said, addslashes for SQL escaping is a very bad idea, you should rather use the correct escaping function for your database.
I heard this before, does that also apply when I'm only using MySQL? Why is it such a bad idea? And should one apply stripslashes() first with magic_quotes_gpc on?

code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: unique_id function

Post by code reader » Sun Feb 03, 2008 9:56 pm

Kellanved wrote:It's still just the time that goes in the function. An attacker using the same seed will get the same result.
i don't know how an attacker can fake microtime(), but if we get that paranoid, how about adding some other values which change (though not strictly "random", still, in a difficult-to-duplicate way), such as disk_free_space() and memory_get_usage()?
going to the db just to obtain random seed seems both excessive and wrong (assuming, from the discusstion iteslf, that that is what you are doing. contrary to my nick, i didn't actually read the code... :( )

User avatar
Nicholas the Italian
Registered User
Posts: 659
Joined: Mon Nov 20, 2006 11:19 pm
Location: 46°8' N, 12°13' E
Contact:

Re: unique_id function

Post by Nicholas the Italian » Sun Feb 03, 2008 10:14 pm

Techie-Micheal wrote:As for spoofing your IP address, you are correct, TCP requires a 3-way handshake, thus making it impossible to simply spoof your IP address and get results.
Well, you could spoof a TCP packet and make it look like a UDP packet. :P (Webservers listen for UDP packets on :80, don't they?)
Still, whatever result you might be able to obtain, it'll never get back to you (unless... see above).
And for REMOTE_ADDR, that's lower down the OSI model, rather than layer 7, so you can't really spoof that either.
Yes, IP protocol is level 3 (network), so I suppose it's handled by the OS. But again I suppose you can crack OS's and rewrite IP-handling routines... ;)

Post Reply