Hi there.
I'm not a website expert, but I was assigned to try fix that issue.
I'm one of the
Wings3d forum admin and since Nov/14 I've niticed the IP information for registering and online users has not been done correctly - it's always 127.0.0.1 (localhost). So, there was a spammer party there and I need to change enable the Admin activtion. (lot of work now).
So, I opened a ticket at SourgeForce (where the forum is hosted) and they answered this way:
Quote:We upgraded a device which handles the headers, its possible it responded incorrectly prior to tuesday. Our suggestion is to use the X-Remote-Addr header to get the client IP; no other header or env will be reliable or useful for that purpose.
I have no idea where to do that change (which
.php files). Can someone help me with this?
We are still using the MyBB 1.6.8
Thanks in advanced
Micheus
If you are going to use the 1.6 series, you should at least upgrade to 1.6.16. See
Docs for guidance.
and this might help
admin panel >> configuration >> settings >> Server and Optimization Options --> Scrutinize User's IP address?
select yes and save the settings
(2015-02-10, 04:01 PM)dragonexpert Wrote: [ -> ]If you are going to use the 1.6 series, you should at least upgrade to 1.6.16. See Docs for guidance.
Thanks for the advice and link. We intend to update the forum, but we would like to get it working as it was prior Nov/14.
No one wants to introduce any other risk factor before fix the original issue.
(2015-02-10, 04:06 PM).m. Wrote: [ -> ]and this might help
admin panel >> configuration >> settings >> Server and Optimization Options --> Scrutinize User's IP address?
select yes and save the settings
Thanks. It's already Yes.
By reading other recent posts, that is something I've noticed too - two or three users only:
Who is online problem?
[Edited: 11/02/15]
By considering that
"Scrutinize User's IP address" is already set, the get_ip() code should be already using the
X-Remote-Addr header as proposed by the
SourceForge team. Right?!
Looking in the recent users registration I noticed that from the 59 users waiting for approval only one was registered with a valid IP (180.253.139.147) - the others are registered as 127.0.0.1
Shouldn't that suggest me the
get_ip() code is doing something wrong? maybe one of those
preg_match_all() call?
I just made a small php code to try see what the server is really answer related to the remote IP address:
http://www.wings3d.com/forum/admin/test_ip.php. The first rows are some MyBB heading present in
init clause of the
class_session.php:
<?php
/**
* MyBB 1.6
* Copyright 2010 MyBB Group, All Rights Reserved
*
* Website: http://mybb.com
* License: http://mybb.com/about/license
*
* $Id: index.php 5757 2012-03-09 15:11:56Z Tomm $
*/
require_once dirname(dirname(__FILE__))."/inc/init.php";
send_page_headers();
define('MYBB_ADMIN_DIR', MYBB_ROOT.$config['admin_dir'].'/');
require_once MYBB_ADMIN_DIR."inc/functions.php";
if(!file_exists(MYBB_ROOT."inc/languages/".$mybb->settings['cplanguage']."/admin/home_dashboard.lang.php"))
{
$mybb->settings['cplanguage'] = "english";
}
$lang->set_language($mybb->settings['cplanguage'], "admin");
// Load global language phrases
$lang->load("global");
if(function_exists('mb_internal_encoding') && !empty($lang->settings['charset']))
{
@mb_internal_encoding($lang->settings['charset']);
}
header("Content-type: text/html; charset={$lang->settings['charset']}");
/** end MyBB header copy */
$ip_address = get_ip();
echo "IP from get_ip(): " . $ip_address . "</br>";
$t = " ";
$rem_add = $_SERVER['REMOTE_ADDR'];
echo "_SERVER['REMOTE_ADDR']: " . $rem_add . "</br>";
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$xfrw_add = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$xfrw_add = "Undefined";
}
echo "_SERVER['HTTP_X_FORWARDED_FOR']: " . $xfrw_add . "</br>";
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
$xreal_add = $_SERVER['HTTP_X_REAL_IP'];
} else {
$xreal_add = "Undefined";
}
echo "_SERVER['HTTP_X_REAL_IP']: " . $xreal_add . "</br>";
echo "</br></br>";
echo "Main IP assignement (REMOTE_ADDR)</br>";
$rem_add_preg_match = preg_match("#^(10|172\.16|192\.168)\.#", $_SERVER['REMOTE_ADDR']);
echo $t."preg_match(_SERVER['REMOTE_ADDR']): " . $rem_add_preg_match. "</br>";
if(!preg_match("#^(10|172\.16|192\.168)\.#", $_SERVER['REMOTE_ADDR'])) {
$ip = $_SERVER['REMOTE_ADDR'];
echo $t."ip set to REMOTE_ADDR: " . $ip ."</br>";
} else {
echo $t."ip not set for REMOTE_ADDR" ."</br>";
}
echo "</br>";
echo "Secundary IP assignement (HTTP_X_FORWARDED_FOR)</br>";
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses);
echo $t."preg_match(_SERVER['HTTP_X_FORWARDED_FOR']): " . $addresses ."</br>";
} elseif (isset($_SERVER['HTTP_X_REAL_IP'])) {
echo $t."_SERVER['HTTP_X_FORWARDED_FOR'] is undefined</br>";
preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses);
echo $t."preg_match(_SERVER['HTTP_X_REAL_IP']): " . $addresses ."</br>";
} else {
echo $t."_SERVER['HTTP_X_REAL_IP'] is undefined</br>";
}
if (isset($addresses)) {
$t."var addresses has values...";
if(is_array($addresses[0])) {
foreach($addresses[0] as $key => $val)
{
echo $t.$key . " => " . $val ."</br>";
if(!preg_match("#^(10|172\.16|192\.168)\.#", $val)) {
$ip = $val;
echo $t.$t."ip assigned to: " . $val ."</br>";
}
}
}
}
?>
here is the result:
Quote:_SERVER['REMOTE_ADDR']: 127.0.0.1
_SERVER['HTTP_X_FORWARDED_FOR']: Undefined
_SERVER['HTTP_X_REAL_IP']: Undefined
Main IP assignement (REMOTE_ADDR)
preg_match(_SERVER['REMOTE_ADDR']): 0
ip set to REMOTE_ADDR: 127.0.0.1
Secundary IP assignement (HTTP_X_FORWARDED_FOR)
_SERVER['HTTP_X_REAL_IP'] is undefined
So, does someone has any suggestion about the problem? What could be causing that?
Any help is appreciated.
After ask here, in the
SourceForge and burn my brain I looked for some informations in the Admin CP and then I found the PHP Info. There I was able to see that
SourceForge doesn't use the
HTTP_X_FORWARDED_FOR and
HTTP_X_REAL_IP as an alternative to
REMOTE_ADDR - they use
HTTP_X_REMOTE_ADDR:
![[Image: mybb_php_info_zpsp4kr6jxl.png]](https://camo.mybb.com/b53f14a6aaf88b1ed37c12e1d59c131c1275edeb/687474703a2f2f69313333302e70686f746f6275636b65742e636f6d2f616c62756d732f773537382f4d6963686575732f6d7962625f7068705f696e666f5f7a707370346b72366a786c2e706e67)
So, the solution is to add it to the IP check in the file
./inc/functions.php, function
get_ip():
:
:
if($mybb->settings['ip_forwarded_check'])
{
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses);
}
elseif(isset($_SERVER['HTTP_X_REAL_IP']))
{
preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_REAL_IP'], $addresses);
}
elseif(isset($_SERVER['HTTP_X_REMOTE_ADDR']))
{
preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_REMOTE_ADDR'], $addresses);
}
if(is_array($addresses[0]))
{
foreach($addresses[0] as $key => $val)
{
if(!preg_match("#^(10|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168)\.#", $val))
{
$ip = $val;
break;
}
}
}
}
:
Now what we need is to get that added to the official distribution. Where can I do a "Feature Request"? (I didn't find a link for it - just a reference for plugins)
(2015-02-17, 02:15 PM)Micheus Wrote: [ -> ]Now what we need is to get that added to the official distribution. Where can I do a "Feature Request"? (I didn't find a link for it - just a reference for plugins)
1.6 is not developed anymore. You can report it for 1.8 though:
http://community.mybb.com/forum-157.html