[Rob, just resending because it did not get to the list]
On Mon, Dec 10, 2007 at 05:59:22PM -0500, Rob Morin wrote:
> Thanks for the info... i am using version 1.13
>
> On another interesting note..... i have one client who uses a "Top
> Sites" script form here http://www.aardvarktopsitesphp.com/forums/index.php
>
> thats the forms url , in case you wanted to search anything.... :)
>
> Only after almost a week i realized whats going on... this script works
> with IP addresses and only allows you to vote once per day per IP...
Huh??? this is a prehistoric script then! Every web site designer *KNOWS* that an IP address has nothing to do with a client today! Many people can be behind one IP because of proxies and a single client may use multiple IPs due to proxy farms.
As a general rule of thumb, when you encounter such broken heuristics used in scripts, you should get away from them because if the author doesn't understand that, chances are that the script's security is awfully broken too. Common issues with such low-quality code include directory traversal, SQL injection, command execution by passing pipes instead of files names, and authentication bypass.
> but
> when i finally looked into the database of IPs it keeps it only shows
> the haproxy IP and not the real IP, i guess this a PHP thing??? but
> would php get its source IP address differently than apache would? Or
> does the X-Forward option only work for apache logs and not another app
> using port 80?
No, it should be trivial for everyone to get the X-Forwarded-For header in every request. Probably that the script was never thought that way?
> Thanks for all your support over the last few weeks, its been very helpful!
you're welcome :-)
Regards,
Willy
Received on 2007/12/11 07:15
This archive was generated by hypermail 2.2.0 : 2007/12/11 07:30 CET