phpBB IP address spoofing

2004-04-18T00:00:00
ID CFE17CA6-6858-4805-BA1D-A60A61EC9B4D
Type freebsd
Reporter FreeBSD
Modified 2004-04-18T00:00:00

Description

The common.php script always trusts the `X-Forwarded-For' header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists (ACLs).