[SOLVED] PHP using 127.0.0.1 as local

[random1]

I have some code that handles times for updating and maintenance for a website that denies access by any users other than the local one (127.0.0.1).

 

Is there a way as a user to 'fake' being the 127.0.0.1 visitor? Is there a better way to "forbid access to anyone but the local server"?

[nuttycoder]

AM sure there is a way to fake most things can be faked.

 

 

[uniflare]

What is the purpose of faking your ip address as 127.0.0.1? if your worried about security, then use a password .

[corbin]

It is technically possible to fake an IP address (infact, that's the method used in some attack -- don't remember it's name).  Your computer would reply to 127.0.0.1 though, so there is no security problem with relying on your local IP.  A black list with IPs is much harder to do than a white list though because of proxies and what not.

[sKunKbad]

Dont know if this is a confirmation, but these are my notes for tunneling in to my phpmyadmin via Putty:

 

XXXX is some random port #

 

Putty can be used on a windows machine, or SSH Tunnel Manager (SSHTM) can be used on a Mac. The trick to getting this to work is to tell Putty or SSHTM to make an SSH connection to the server, same way you normally would, but to do a port forward from XXXX to localhost:80. Then all you need to do is go to firefox and tell it to connect to the internet through localhost:XXXX.

 

Mac console:

ssh -N -p 22 -c 3des [email protected] -L XXXX/localhost/80

 

So, I'm pretty sure in this case, your script/apache would recognize the IP as 127.0.0.1. I'd have to check my server log to be sure.

[uniflare]

Though phpmyadmin should require a mysql user/pass anyway.

 

if u did then nice hack lol, should come up with a way to defend that .

[sKunKbad]

Though phpmyadmin should require a mysql user/pass anyway.

 

if u did then nice hack lol, should come up with a way to defend that .

 

Yes, you still have to log in, this is just how to get there

[corbin]

Dont know if this is a confirmation, but these are my notes for tunneling in to my phpmyadmin via Putty:

 

XXXX is some random port #

 

Putty can be used on a windows machine, or SSH Tunnel Manager (SSHTM) can be used on a Mac. The trick to getting this to work is to tell Putty or SSHTM to make an SSH connection to the server, same way you normally would, but to do a port forward from XXXX to localhost:80. Then all you need to do is go to firefox and tell it to connect to the internet through localhost:XXXX.

 

Mac console:

ssh -N -p 22 -c 3des [email protected] -L XXXX/localhost/80

 

So, I'm pretty sure in this case, your script/apache would recognize the IP as 127.0.0.1. I'd have to check my server log to be sure.

 

 

That's not a security vulnerability though.  The request would come from localhost, yes, but the foreign user would have to have an SSH tunnel going.

[uniflare]

Is the original poster still interested in this topic? I would like to know exactly what he wants to know...

[random1]

Thanks all

 

I'll take another approach to require a master password during maintenance/updating times.