unique_id function
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: unique_id function
I must admit I find this quite surprising.naderman wrote:Not necessarily, you can spoof such stuff too.
Even if I can fake someone else's IP (and this is news to me - at software level you mean?), I wouldn't receive any response packet, would I? Unless "accomplice" servers along the path deroute them towards me... but at this point I could do quite everything anyway...
Re: unique_id function
Yeah I wasn't thinking of simple spoofing, but rather rerouting packets to yourself by getting control over the victim's network in some form. Though I didn't want to go into detail on this topic, it's just generelly much safer the way unique_id works now as you can't attack it with any of these methods.
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: unique_id function
Well, at this point you can do a man-in-the-middle attack and do more or less whatever you want, whatever client-side and server-side security mechanisms you apply, unless you're running on SSL (I wonder how many forums run on https).naderman wrote:rerouting packets to yourself by getting control over the victim's network in some form.
Just a thought, this said... well... do whatever you think it's safer!
Re: unique_id function
I have been wondering about this, is it possible to perform SQL-injection with a spoofed $_SERVER['REMOTE_ADDR'] global? I usually run it through addslashes() when I'm storing it in a DB, but is that even necessary? There's not much I can find about this on Google.naderman wrote:simple spoofing
Re: unique_id function
Well that's not supposed to be possible, but I'm pretty sure there have been bugs which allowed this to happen with certain configurations of php and certain webservers, so better safe than sorry. That said, addslashes for SQL escaping is a very bad idea, you should rather use the correct escaping function for your database.
- Techie-Micheal
- Registered User
- Posts: 566
- Joined: Sun Oct 14, 2001 12:11 am
Re: unique_id function
MitM is still possible with SSL, just more difficult.Nicholas the Italian wrote:Well, at this point you can do a man-in-the-middle attack and do more or less whatever you want, whatever client-side and server-side security mechanisms you apply, unless you're running on SSL (I wonder how many forums run on https).naderman wrote:rerouting packets to yourself by getting control over the victim's network in some form.
Just a thought, this said... well... do whatever you think it's safer!
As for spoofing your IP address, you are correct, TCP requires a 3-way handshake, thus making it impossible to simply spoof your IP address and get results. And for REMOTE_ADDR, that's lower down the OSI model, rather than layer 7, so you can't really spoof that either. I don't know about PHP versions that are vulnerable as I think REMOTE_ADDR is grabbed down the stack, but with PHP, who knows.
Re: unique_id function
I heard this before, does that also apply when I'm only using MySQL? Why is it such a bad idea? And should one apply stripslashes() first with magic_quotes_gpc on?naderman wrote:[..] That said, addslashes for SQL escaping is a very bad idea, you should rather use the correct escaping function for your database.
-
- Registered User
- Posts: 653
- Joined: Wed Sep 21, 2005 3:01 pm
Re: unique_id function
i don't know how an attacker can fake microtime(), but if we get that paranoid, how about adding some other values which change (though not strictly "random", still, in a difficult-to-duplicate way), such as disk_free_space() and memory_get_usage()?Kellanved wrote:It's still just the time that goes in the function. An attacker using the same seed will get the same result.
going to the db just to obtain random seed seems both excessive and wrong (assuming, from the discusstion iteslf, that that is what you are doing. contrary to my nick, i didn't actually read the code... )
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: unique_id function
Well, you could spoof a TCP packet and make it look like a UDP packet. (Webservers listen for UDP packets on :80, don't they?)Techie-Micheal wrote:As for spoofing your IP address, you are correct, TCP requires a 3-way handshake, thus making it impossible to simply spoof your IP address and get results.
Still, whatever result you might be able to obtain, it'll never get back to you (unless... see above).
Yes, IP protocol is level 3 (network), so I suppose it's handled by the OS. But again I suppose you can crack OS's and rewrite IP-handling routines...And for REMOTE_ADDR, that's lower down the OSI model, rather than layer 7, so you can't really spoof that either.