I've looked around for an answer to this question, but the answers are always situational - so here's mine:
If a hacker is on a limited, local network, can they fake the IP in $_SERVER[‘REMOTE_ADDR’]? (and out of curiosity - how?)
I understand that when it comes to the internet, any variable such as this can be wrangled into whatever you want. But in a local, wired network that may not even be connected to the internet at all, can they fake this address? I'm assuming that Mr.MissionImpossible is crawling along the ceiling with a notebook and Ethernet cable into one of the switches. The response in this scenario won't matter - but running the PHP script should only be limited from certain location(s).
Thanks in advance!
I don't know for definite if this can be faked in general, I would guess it probably can if you know what you're doing. But an intranet is a TCP/IP network with, in the case of a website, a HTTP layer over the top. The environment is essentially the same.
So if it can be done on the public internet, it can be done on your internal network too.
Related
My (Windows) computer is connected with OpenVPN to my VPN provider. That means that everything goes through it, alternatively using its proxies as well for a little bit of variation.
In many situations, I don't want it to go through the VPN (or any proxy) when making a request. For example, when I use PHP to log in to my bank. Or when all proxies/VPNs are blocked from downloading a file, or loading a webpage, etc., which happens frequently. But then I'm stuck, because to the best of my knowledge, there is no way to tell PHP to "bypass the VPN and use my home IP address directly".
I would like something like:
php_bypass_VPN();
/* make cURL requests here */
php_restore_VPN();
Is it possible at all? If not, why is this not a major problem for anyone else? Or is it? It has caused countless issues for me, and not just in PHP context. For example, I would want the buffering local Internet radio station to go through my normal IP address as well, but no software I've ever seen provides any means to "bypass VPN".
If the solution involves hacking the OS and/or installing a bunch of spyware, I'll not be happy. Please tell me there is some simple way to do this, such as:
shell_exec('somebinary bypassvpntemporarily');
That would be swell, although a cross-platform solution would be vastly preferred.
Most VPNs work in a way that they install a new network interface driver on your PC and make sure all traffic goes through it so it can encrypt it on the way out.
I guess you could try to go through a specific interface but I'm not sure that will overcome the VPN (heres how to get a specific interface how to bind raw socket to specific interface).
Other than that you could create your own driver...
We have develop a CURL function on our application. This curl function is mainly to map the data over from 1 site to our form-field in our application.
However, this function has been working fine all the while and ready for use for more than 2 months. Yesterday, this fucntion was broken down. the data from this website is no longer able to map over. We are trying to find out why the problem is. When we troubleshooting, it shows that there is response timeout issue.
To re-ensure there were nothing wrong on our coding and our server performance is working, we have duplicates this instance to another server and try out the function. It was working perfectly.
Wondering if any one out there facing such problem?
What could the possibility to cause this issue?
When we are using cURL, will the site owner know that we are calling their data to map into ours server application? If so, is there a way that we can overcome this?
Could be the owner that block our server ip address? tht's why it function works well on my another server but not in the original server?
Appreciate your help on this.
Thank you,
Your problem description is far too generic to determine a specific cause. Most likely however there is a specific block in place.
For example a firewall rule on the other end, or on your end, would cause all traffic to be dropped, thus causing the timeout. There could also be a regular network outage between both servers, but that's unlikely.
Yes, they will see it in their Apache (or IIS) logs regularly. No, you cannot hide from the server logs - it logs all successful requests. You either get the data, or you stay stealthy. Not both.
Yes, the webserver logs will contain the IP doing all the requests. Adding a DROP rule to the firewall is then a trivial task.
I have applied such a firewall rule to bandwidth and/or data leechers a lot of times in the past few years, although usually I prefer the more resilient deny from 1.2.3.4 approach in Apache vhost/htaccess. Usually, if you use someone else's facilities, it's nice to ask for proper permission - lessens the chance you get blocked this way.
I faced a similar problem some time ago
My server IP was blocked from the website owner
It can be seen in the server logs. Google Analytics, however, won't see this, as cURL doesn't execute javascript.
Try to ping the destination server from the one executing the cURL.
Some advices are:
Use a browser header to mask your request.
If you insist on using this server, you can run trough a proxy.
Put some sleep() between the requests.
I was wondering about creating something that would compare to the titles implications.
There are so many websites that compare prices on goods and how they go about it is quite simple.
Please a file on the clients server, target it with your own server at any specific point in time.
So, within that file any code that is executable would only execute on authorisation.
What I commonly see is:
$required_ip = gethostbyname('admin.mydomain.com');
if ($_SERVER['REMOTE_ADDR'] != $required_ip) {
die('This file is not accessible.');
}
// Do some stuff like turn the remote product data into xml format and export to your local server
What I would like to find out is firstly, how secure is this method? I am quite sure there are a few ways to get around this and if anyone could suggest a way to bypass this situation then that would be great!
My goal however, is to reverse this process. So that once authenticated, data can be pushed to the remote server. It is one thing to extract but another to input so I am worried that this type of functionality could create serious security issues. What I would like to do, is find out how I could possibly work around that to make what could be a safe "datapusher".
Any advice, feedback or input would be greatly appreciated; thanks in advance!
(Paraphrasing your questions:)
How secure is it to do a DNS lookup and use that to authenticate a client.
Reasonably secure, though by no means perfect. The first problem is that the IP it resolves to may encompass quite a number of different machines, if it's pointing towards a NATed network. An attacker could pose as the correct remote IP if they're able to send their requests from somewhere within that network; or simply by tunnelling requests through it in one way or another. Essentially, the security lies in the hands of the owner of that domain/IP address, and there are numerous ways to screw it up.
In reverse, an attacker may be able to poison the DNS resolver that's used to resolve that IP address, allowing the attacker to point it to any IP address he pleases.
Both of these kinds of attacks are not infeasible, though not trivial either. If you're sending information which isn't terribly confidential, it's probably a "good enough" solution. For really sensitive data it's a no go.
How to ensure the identity of a remote server I'm pushing data to?
With your push idea, all your server really needs to do is to send some HTTP request to some remote server. There isn't even really any need for anyone to authenticate themselves. Your server is voluntarily pushing data to another system, that system merely needs to receive it; there's no real case of requiring an authentication.
However, you do want to make sure that you're sending the data to the right remote system, not to someone else. You also want to make sure the communication is secured. For that, use SSL. The remote system needs to have a signed SSL certificate which verifies its identity, and which is used to encrypt the traffic.
My application requires that only one(first) among multiple browsers running on one PC is able to access a certain web page and the requests from other browsers is blocked/not serviced ? Is there anyway to do this using php ? Is there a way to do it even if I don't restrict myself to php ? I have looked into sessions and cookies but there doesn't seem to be a method to share cookies between browsers(sharing sessions is entirely out of question, I understand). Since private IPs are not known to the server, I can't develop a method to use those either, I'm stuck, any help will be appreciated.
PS: I'm an intern at a firm, and I wasn't told the exact scenario this feature is required for, but this is what is needed to be done. I suggested using client authorization(login id, password) for it, but that suggestion was rejected, I'm stuck !
EDIT: I only create a session if a client with the same IP (flags for ip stored in a DB) is not surfing the page., otherwise if same ip is already in session, they are thrown out... It isn't really an exercise, they want a working solution !. I get the IP by $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'] - It blocks the global IPs which I don't really want.
EDIT 2 : How about using a java applet or flash cookies(in a roundabout way somehow) to do this ?
That can't be done, at least not in a fool proof way. The different browsers could be using different proxies, so filtering by IP won't be enough even if you could do it. Ask why this needs to be done, and then when you know what actually is required, look for a way to do it.
Considering this is an exercise, It seems you're indeed asked to do the impossible. However, Assuming they want the general solution that will work in most cases, Take a look at $_SERVER['REMOTE_ADDR'] - This will return the client's IP or his proxy server, In case of a proxy server, you can also use $_SERVER['HTTP_X_FORWARDED_FOR'] to get the client IP.
word of caution : $_SERVER['HTTP_X_FORWARDED_FOR'] - can be spoofed, so it's not to be trusted, However 99% of the users have no idea what's a proxy or how to fake this setting.
It's not a 100% fool-proof solution, But for that you'll really want a login mechanism, There's no other solution that comes to mind.
Is it possible to implement a p2p using just PHP? Without Flash or Java and obviously without installing some sort of agent/client on one's computer.
so even though it might not be "true" p2p, but it'd use server to establish connection of some sort, but rest of communication must be done using p2p
i apologize for little miscommunication, by "php" i meant not a php binary, but a php script that hosted on web server remote from both peers, so each peer have nothing but a browser.
without installing some sort of
agent/client on one's computer
Each computer would have to have the PHP binaries installed.
EDIT
I see in a different post you mentioned browser based. Security restrictions in javascript would prohibit this type of interaction
No.
You could write a P2P client / server in PHP — but it would have to be installed on the participating computers.
You can't have PHP running on a webserver cause two other computers to communicate with each other without having P2P software installed.
You can't even use JavaScript to help — the same origin policy would prevent it.
JavaScript running a browser could use a PHP based server as a middleman so that two clients could communicate — but you aren't going to achieve P2P.
Since 2009 (when this answer was originally written), the WebRTC protocol was written and achieved widespread support among browsers.
This allows you to perform peer-to-peer between web browsers but you need to write the code in JavaScript (WebAssembly might also be an option and one that would let you write PHP.)
You also need a bunch of non-peer server code to support WebRTC (e.g. for allow peer discovery and proxy data around firewalls) which you could write in PHP.
It is non-theoretical because server side application(PHP) does not have peer's system access which is required to define ports, IP addresses, etc in order to establish a socket connection.
ADDITION:
But if you were to go with PHP in each peer's web servers, that may give you what you're looking for.
Doesn't peer-to-peer communication imply that communication is going directly from one client to another, without any servers in the middle? Since PHP is a server-based software, I don't think any program you write on it can be considered true p2p.
However, if you want to enable client to client communications with a php server as the middle man, that's definitely possible.
Depends on if you want the browser to be sending data to this PHP application.
I've made IRC bots entirely in PHP though, which showed their status and output in my web browser in a fashion much like mIRC. I just set the timeout limit to infinite and connected to the IRC server using sockets. You could connect to anything though. You can even make it listen for incoming connections and handle them.
What you can't do is to get a browser to keep a two-way connection without breaking off requests (not yet anyways...)
Yes, but its not what's generally called p2p, since there is a server in between. I have a feeling though that what you want to do is to have your peers communicate with each other, rather than have a direct connection between them with no 'middleman' server (which is what is normally meant by p2p)
Depending on the scalability requirements, implementing this kind of communication can be trivial (simple polling script on clients), or demanding (asynchronous comet server).
In case someone comes here seeing if you can write P2P software in PHP, the answer is yes, in this case, Quentin's answer to the original question is correct, PHP would have to be installed on the computer.
You can do whatever you want to do in PHP, including writing true p2p software. To create a true P2P program in PHP, you would use PHP as an interpreted language WITHOUT a web server, and you would use sockets - just like you would in c/c++. The original accepted answer is right and wrong, unless however the original poster was asking if PHP running on a webserver could be a p2p client - which would of course be no.
Basically to do this, you'd basically write a php script that:
Opens a server socket connection (stream_socket_server/socket_create)
Find a list of peer IP's
Open a client connection to each peer
...
Prove everyone wrong.
No, not really. PHP scripts are meant to run only for very small amount of time. Usually the default maximum runtime is two minutes which will be normally not enough for p2p communication. After this the script will be canceled though the server administrator can deactivate that. But even then the whole downloading time the http connection between the server and the client must be hold. The client's browser will show in this time its page loading indicator. If the connection breakes most web servers will kill the php script so the p2p download is canceled.
So it may be possible to implement the p2p protocol, but in a client/server scenario you run into problems with the execution model of php scripts.
both parties would need to be running a server such as apache although for demonstration purposes you could get away with just using the inbuilt php test server. Next you are going to have to research firewall hole punching in php I saw a script i think on github but was long time ago . Yes it can be done , if your client is not a savvy programmer type you would probably need to ensure that they have php installed and running. The path variable may not work unless you add it to the system registry in windows so make sure you provide a bat file that both would ensure the path is in the system registry so windows can find it .Sorry I am not a linux user.
Next you have to develop the code. There are instrucions for how hole punching works and it does require a server on the public domain which is required to allow 2 computers to find each others ip address. Maybe you could rig up something on a free website such as www.000.webhost.com alternatively you could use some kind of a built in mechanism such as using the persons email address. To report the current ip.
The biggest problem is routers and firewalls but packets even if they are directed at a public ip still need to know the destination on a lan so the information on how to write the packet should be straight forwards. With any luck you might find a script that has done most of the work for you.