Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the top of global.inc you use the X_FORWARDED_FOR header and others without checking the validity of these.
That makes it very easy to fake your IP address, just send a X_FORWARDED_FOR header along.
X_FORWARDED_FOR and similar headers should only be trusted if the configuration has specified which IP addresses should be trusted as proxies and only trust those IPs in the X_FORWARDED_FOR chain of IPs.
Actually, when I write this. I realize that there is no support for multiple IPs in X_FORWARDED_FOR.
Comments
Comment #1
omega8cc CreditAttribution: omega8cc commentedYes, you could fake your IP using this "by design" (just read the comment in the code) snippet, but only on the Drupal/PHP level. This will not affect Nginx level IP detection, so it also not a Barracuda issue and is rather limited to Octopus (Drupal) level. If you could provide more details on why you consider this to be a "bug" and how you propose to fix this, please re-open.