REMOTE_ADDR and REMOTE_HOST not safe for use in security

There was some discussion today on CF-Talk about using CGI variables to secure an application and some confusion as to which CGI variables can be spoofed and if some are safe. Particularly there’s interest in blocking out specific IP addresses from accessing a web-application.

After some testing, I confirmed that even REMOTE_ADDR, the client’s IP address, and REMOTE_HOST, the client’s host name, can be spoofed very easily. ColdFusion can do this with the CFHTTP and CFHTTPPARAM tags and I’m sure other tools are available.

These spoofs worked with JRun’s built-in web server and through IIS. I’ve also spoofed REMOTE_HOST previously with an iPlanet installation to demonstrate poor security in a client’s application.

So if you’re thinking about using CGI variables to secure a site, you need to think again. If you need to secure by IP address, then do it at the router and not in application code.

This entry was posted in Uncategorized by Sam. Bookmark the permalink.

2 thoughts on “REMOTE_ADDR and REMOTE_HOST not safe for use in security

  1. “So if you’re thinking about using CGI variables to secure a site, you need to think again. If you need to secure by IP address, then do it at the router and not in application code.”

    Yeah, when talking about security/addressing, it’s better do hardware “level” than by using some application coding. Spoofing is pretty easy with Windows machines.

    I never liked CGI thought ;)

  2. I see you share interesting content here, you can earn some extra money, your
    blog has big potential, for the monetizing method, just type
    in google – K2 advices how to monetize a website

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>