You are here: Home / Archives for 2008

WordPress – Comments and X_Forwarded_FOR

November 18, 2008 By Leave a Comment
This is a patch to comment.php for a wordpress installation.  Basically if the X_FORWARDED_FOR header is set then the comment is attributed to that IP instead of the IP address of the remote connection.  For those that run WordPress behind a reverse proxy, like Squid, Apache, etc. this is helpful.  Of course this header can be spoofed and thus the only way to really know from which IP the connection came is to check the logs on the proxy server.
Now I guess I could get a little more accurate by having the proxy server insert a custom header and then using the value of that header.  Of course that too could be spoofed, etc..  At the end of the day, having the real IP of the device submitting the comment is not all that important anyway.  Though I like having the value of this header more than I like always having the IP of my proxy server.


+++ comment.php Wed Nov 19 01:13:46 2008
@@ -715,7 +715,22 @@
        $commentdata['comment_post_ID'] = (int) $commentdata['comment_post_ID'];
        $commentdata['user_ID']         = (int) $commentdata['user_ID'];

+/* Original line to get comment users IP
        $commentdata['comment_author_IP'] = preg_replace( '/[^0-9a-fA-F:., ]/', '',$_SERVER['REMOTE_ADDR'] );
+*/
+
+       if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+       $commentdata['comment_author_IP'] = $ipAddress;
+
        $commentdata['comment_agent']     = $_SERVER['HTTP_USER_AGENT'];

        $commentdata['comment_date']     = current_time('mysql');



		

		
Filed Under: Blogs  

	

	


				
WordPress – X-Forwarded-For header

		
		
November 11, 2008  By  2 Comments 
		

			
For those that have not figured it out WordPress is the content management system for this site. I am using a plugin called StatPress.  A “visitor” in the lingo of StatPress is not cookie based (which one could argue it should be, since so many places use web proxies for their clients, myself included) but is based on the client’s IP address.  In my network the web server(s) are front-ended by a proxy server (so yeah I use proxies for my clients and my servers). I checked out WordPress ticket 4602 but apparently this has not made it into the code base yet.  I am an outsider with respect to WordPress development and plugin writing, but I think the plugins should be asking the core for things like client IP, etc..  This means one place to maintain, sanitize this information.


Anyways the code below is what I cobbled together into statpress.php file so that the “real” IP address of the client is seen by Statpress and thus my statistics are slightly more accurate. :) 


--- statpress.php       Wed Nov 12 04:30:35 2008
+++ statpress.php.new   Wed Nov 12 04:41:29 2008
@@ -1131,7 +1131,23 @@
        $vtime  = gmdate("H:i:s",$timestamp);

        // IP
-    $ipAddress = $_SERVER['REMOTE_ADDR'];
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+
+
+
+
     if(iriCheckBanIP($ipAddress) == '') { return ''; }

        // URL (requested)
@@ -1320,8 +1336,20 @@
                $body = str_replace("%browser%", $browser, $body);
        }
        if(strpos(strtolower($body),"%ip%") !== FALSE) {
-           $ipAddress = $_SERVER['REMOTE_ADDR'];
-               $body = str_replace("%ip%", $ipAddress, $body);
+
+        if ($_SERVER['HTTP_X_FORWARDED_FOR'] != "" ) {
+            $ipAddress = $_SERVER["HTTP_X_FORWARDED_FOR"];
+                if (strpos($ipAddress, ',') !== false) {
+                    $ipAddress = explode(',', $ipAddress);
+                    $ipAddress = $ipAddress[0];
+                }
+
+        } else {
+            $ipAddress = $_SERVER['REMOTE_ADDR'];
+        }
+
+
+       $body = str_replace("%ip%", $ipAddress, $body);
        }
        if(strpos(strtolower($body),"%visitorsonline%") !== FALSE) {
                $to_time = current_time('timestamp');



If you find this helpful, please leave me a comment.  If anyone understands Italian and wants to send this over to the author of the plugin, please do and let me know.  I also need to now go hack the comments code so it does the same thing.  Of course then also package up both of these modifications so I can incorporate them in my future wordpress installs.

		

		
Filed Under: Blogs  Tagged With: , ,  

	

	


				
Bar stool Economics

		
		
October 27, 2008  By  Leave a Comment 
		

			
Suppose that every day, ten men go out for beer and the bill for all ten comes to $100. If they paid their bill the way we pay our taxes, it would go something like this:


The first four men (the poorest) would pay nothing.


The fifth would pay $1.


The sixth would pay $3.


The seventh would pay $7.


The eighth would pay $12.


The ninth would pay $18.


The tenth man (the richest) would pay $59.


So, that’s what they decided to do. The ten men drank in the bar every day and seemed quite happy with the arrangement, until one day, the owner threw them a curve. ‘Since you are all such good customers, he said, ‘I’m going to reduce the cost of your daily beer by $20. Drinks for the ten now cost just $80.


The group still wanted to pay their bill the way we pay our taxes, so the first four men were unaffected. They would still drink for free. But what about the other six men – the paying customers? How could they divide the $20 windfall so that everyone would get his ‘fair share?’ They realized that $20 divided by six is $3.33. But if they subtracted that from everybody’s share, then the fifth man and the sixth man would each end up being paid to drink his beer. So, the bar owner suggested that it would be fair to reduce each man’s bill by roughly the same amount, and he proceeded to work out the amounts each should pay. And so:


The fifth man, like the first four, now paid nothing (100% savings)


The sixth now paid $2 instead of $3 (33%savings).


The seventh now pay $5 instead of $7 (28%savings).


The eighth now paid $9 instead of $12 (25% savings).


The ninth now paid $14 instead of $18 (22% savings).


The tenth now paid $49 instead of $59 (16% savings).


Each of the six was better off than before. And the first four continued to drink for free. But once outside the restaurant the men began to compare their savings.


‘I only got a dollar out of the $20,’declared the sixth man. He pointed to the tenth man,’ but he got $10!’


‘Yeah, that’s right,’ exclaimed the fifth man. ‘I only saved a dollar, too. It’s unfair that he got ten times more than I!’


‘That’s true!!’ shouted the seventh man. ‘Why should he get $10 back when I got only two? The wealthy get all the breaks!’


‘Wait a minute,’ yelled the first four men in unison. ‘We didn’t get anything at all. The system exploits the poor!’


The nine men surrounded the tenth and beat him up.


The next night the tenth man didn’t show up for drinks, so the nine sat down and had beers without him. But when it came time to pay the bill, they discovered something important. They didn’t have enough money between all of them for even half of the bill!


And that, boys and girls, journalists and college professors, is how our tax system works. The people who pay the highest taxes get the most benefit from a tax reduction. Tax them too much, attack them for being wealthy, and they just may not show up anymore. In fact, they might start drinking overseas where the atmosphere is somewhat friendlier.


 


—————————


Now imagine Obama wins, no one will have enough money to pay the bill.   Politics is an unusual topic for me to comment on, but I think this really illustrates the point nicely.

		

		
Filed Under: Blogs  Tagged With:  

	

	


				
Oh great, now the IRS is making my information available (and YOURS too)

		
		
October 17, 2008  By  Leave a Comment 
		

			
IRS deploys applications knowing they have security issues


Oh great, the IRS knew about the issues yet still deployed the applications.  Those in charge and who approved this should be fired, IMNSHO.  


Putting applications on the network with known vulnerabilities is not a wise decision, regardless of the data contained within.  Given the nature of the data contained within the IRS everything should be triple checked and any issues fixed immediately.  The risk is huge given the data.  


If the data to be protected was email, not having encryption over the wire within the data center might be an acceptable risk.  However given the nature of the data we are talking about here, the data should be encrypted 100% of the time.

		

		
Filed Under: Blogs  Tagged With:  

	

	


				
"New" TCP DDoS

		
		
October 9, 2008  By  Leave a Comment 
		

			
I like what Fyodor has to say about this http://insecure.org/stf/tcp-dos-attack-explained.html


I like this quote


How do you know this is the same bug Robert and Jack found?


I don’t, since they have refused to release full details. But this sounds like the same fundamental bug. Robert and Jack are smart fellows, so, again, I’m sure that they’ve found ways to extend and improve the attack in certain situations. But the simple approach described above is quite effective on its own. You don’t even need to use more specific and esoteric attacks when the basics are so effective.


Especially the last sentence, not rocket science, but follows the KISS principle.



		

		
Filed Under: Blogs  Tagged With: , ,  

	


« Older Posts