There was some discussion today on CF-Talk about using CGI variables to secure an application and some confusion as to which CGI variables can be spoofed and if some are safe. Particularly there’s interest in blocking out specific IP addresses from accessing a web-application.
After some testing, I confirmed that even REMOTE_ADDR, the client’s IP address, and REMOTE_HOST, the client’s host name, can be spoofed very easily. ColdFusion can do this with the CFHTTP and CFHTTPPARAM tags and I’m sure other tools are available.
These spoofs worked with JRun’s built-in web server and through IIS. I’ve also spoofed REMOTE_HOST previously with an iPlanet installation to demonstrate poor security in a client’s application.
So if you’re thinking about using CGI variables to secure a site, you need to think again. If you need to secure by IP address, then do it at the router and not in application code.