Last modified: 2010-05-15 15:37:20 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T6069, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 4069 - Transparent Proxy IP recorded instead of client's IP address
Transparent Proxy IP recorded instead of client's IP address
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.5.x
PC Windows 2000
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-25 00:51 UTC by Nathan Carter
Modified: 2010-05-15 15:37 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Nathan Carter 2005-11-25 00:51:51 UTC
It seems that Mediawiki records the IP address of a user's 
transaparent proxy if they are behind one instead of the 
actual user's IP address.

I believe that the HTTP_REFERRER tag can be used to pick up a 
client's IP address even if behind a transparent proxy
Comment 1 Brion Vibber 2005-11-25 19:51:38 UTC
We only get the IP address that's exposed to us. X-Forwarded-For headers added by 
proxies are not reliable; often they may be missing, and they are easy to forge, 
becoming a security issue if relied upon.

For specific known-good proxies, sometimes we may add them to our list of known proxies 
by which the headers are checked. For your own site, try adding them to 
$wgSquidServersNoPurge.
Comment 2 Nathan Carter 2005-11-25 23:56:57 UTC
It is just frustrating when phpBB and the like get the 
true IP, yet MediaWiki picks up the proxy's IP (which in 
the case of a transparent proxy is improper).
Comment 3 Brion Vibber 2005-11-26 01:10:01 UTC
Would you prefer it when any vandal can fake their IP address with a completely false 
header?
Comment 4 Nathan Carter 2005-11-26 07:24:23 UTC
They can do so using an anonymous proxy anyway. It is not 
common practie to record the transparent proxy's IP 
address. That is why they are transparent proxys because 
you can see the client through them.
Comment 5 Brion Vibber 2005-11-26 18:58:22 UTC
The proxy would be, in fact, their actual IP address.
Comment 6 Nathan Carter 2005-11-27 02:40:10 UTC
Not so with a transparent proxy. So much so when I visit 
my own site the web server records my true IP address, yet 
mediawiki picks the proxy.
Comment 7 Brion Vibber 2005-11-27 04:16:21 UTC
1) Is your own web site on the *inside* of the proxy?
2) If not, please provide the source code for the bit of the site that picks the 
address, and I'll let you know if it's vulnerable to attack with false headers. 
(Probably is.)

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links