DtDNS: WhatsMyIP

From The Uniform Server Wiki
Revision as of 19:50, 11 September 2009 by Ric (talk | contribs) (New page: {{Nav DtDNS}} I recommended on the previous page before using the manual updater check your IP address has changed otherwise your IP address may be banned. Using a service provider’s upd...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

 

DtDNS and automatic update

I recommended on the previous page before using the manual updater check your IP address has changed otherwise your IP address may be banned. Using a service provider’s updater excessively (IP address has not changed) will be considered an abuse. You need to note the Initial IP address write this down, periodically check your IP address and only use the updater service when it changes.

This page first looks at a manual method of obtaining your IP address.

Although a viable solution it is tedious, ideally we want to automate the process using a PHP script. Remainder of this page looks at security issues in doing this.

Whats My IP

When you want to determine your IP address as seen from the Internet you can use one of many pages providing this service. Google for Whats My IP choose one of the pages I have listed three links taken at random:

When you request one of these pages your IP address is captured and inserted into the page. This is displayed in your browser.

You can make a comparison and use the manual IP update method if required.

Top

Consideration for Automatic Updater

When one of the above pages is requested your IP address is captured and inserted into the returned page using code similar to this:

 <?php
    //Gets the IP address
    $ip = getenv("REMOTE_ADDR") ;
    Echo "Your IP is " . $ip;
 ?> 

Side note: You can provide a similar experience and show your user's their IP address by adding the above code to your PHP pages.

Note:

Viewing the above pages in a browser is safe however we want to capture one of the above in a PHP script and extract the IP address. This has security implications which the following simulation demonstrates.

Top

Simulation

Because of security issues Uniform Server disables certain PHP features. You may be tempted to enable these however the following simulation demonstrates why you would not want to enable remote page include.

remote_page.php

Create a new text file in folder UniServer\www and name it remote_page.php add the following content:

<?php
  //Gets the IP address
  $ip = getenv("REMOTE_ADDR") ;
  Echo "Your IP is " . $ip;
?> 

Test:

  • Run servers
  • Type http://localhost/remote_page.php into your browser
  • Result: Your IP is 127.0.0.1 - displayed

The above script remote_page.php is assumed to be on a remote server.

Top

Capture Page

On our local server we want to capture the content of the remote page. PHP has several ways of doing this. The following is NOT the way to do it I have included this example to demonstrate why.

Create a new text file in folder UniServer\www and name it test1.php add the following content:

<?php
 include 'http://localhost/remote_page.php';
?>

Test:

  • Run servers
  • Type http://localhost/test1.php into your browser
  • Result: Hopefully a blank page is displayed.

By default Uniform Server has remote page include disabled.

For this test edit file UniServer\usr\local\php\php.ini

Locate the following line

allow_url_include = Off

Change it to

allow_url_include = On
  • Restart servers
  • Type http://localhost/test1.php into your browser
  • Result: Your IP is 127.0.0.1 - is displayed.

Top

Serious security issue

Looking at the above result it appears quite harmless! Now add the single line as shown to remote_page.php

<?php
  //Gets the IP address
  $ip = getenv("REMOTE_ADDR") ;
  Echo "Your IP is " . $ip;

  system('dir');
?>
  • Type http://localhost/test1.php into your browser
  • Result: Your IP is 127.0.0.1 Along with a directory listing - is displayed.

Now remember this could have been a page downloaded from the Internet. Can you trust the file not to contain malicious content? You have just run a system command, dir is benign however it is easily replaced with commands that delete files or contain other nastiness.

Top

Restore php.ini

Before moving on restore php.ini edit file UniServer\usr\local\php\php.ini

Locate the following line

allow_url_include = On

Change it to

allow_url_include = Off

Top

Summary

At this point we know how to find our IP address however we do not have a safe method of extracting it.

I have highlighted the dangers of reconfiguring a server to allow external includes.

The only safe way to include external files is to use cURL. After reading the cURL manual new users shy away from it. Hence the next two pages show how easy it is to use. The first page shows how to safely extract IP address from an external page.

Top