ok, we all know the REMOTE_ADDR variable, the IP of the client computer.
Is there any way at all this can lie? Client end routers/firewalls excepted, is there any way an attacker can fake his reported IP?
2:41 am on Dec 23, 2008 (gmt 0)
Not without internal access at the ISP, or a major hub in between... Not easy. Considering how simple it is to just use a proxy the chances of seeing a spoofed IP are basically zero.
8:27 am on Dec 23, 2008 (gmt 0)
yeah, unless you count a proxy as "faked", it's pretty safe to be real. Allthough, I'm really not into this technical stuff, but I always thought that most cgi-scripts are kind of vulnerable in that way because of http's statelessness, i.e. you could spoof a request from a certain IP and have a script executed. You wouldn't get the output, of course, but the script would run and get the spoofed IP as the client. As I said, I don't really know if that's true, I just got the impression from reading a little into the whole thing - anyone care to clear that up?