spoofing IP addresses

Eric Lease Morgan (eric_morgan@ncsu.edu)
Fri, 06 Jun 1997 14:27:02 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Wayne A. Hogue II: "Re: spoofing IP addresses"
Previous message: lucas albers: "Simple question about libwwww module."

How does an HTTP server know the IP address of a client, and how can I
use a CGI/LWP script to fake this address?

I have a local service that contains licienced data. I have written an
CGI/LWP script that takes one item as input, creates a new HTTP request
on the behalf of the originating client, passes the request on to a
second server, and finally returns the second server's reponse back to
the originating client. See below:


#!/usr/local/bin/perl

# include the necessary libraries
require "/usr/local/bin/httpd/cgi-bin/cgi-lib.pl";
use LWP::UserAgent;

# read the form's input
&ReadParse(*input);

# process the input
if ($input{'db'} eq "xyz"){

	# initalize database-specific variables
	$USERNAME      = "abc";
	$PASSWORD      = "def";
	$databaseHost  = "http://cc16ss.unity.ncsu.edu";
	$fullPath      = $databaseHost."/cgi-bin/webspirs-t.cgi";
	$content       = "sp.nextform=top.htm&sp.username=$USERNAME&";
	$content      .= "sp.password=$PASSWORD";
	}

else {

	# invalid database
	print "Location: http://www.lib.ncsu.edu/webspirs/invalid.html\n\n";
	exit;
	}

# create a user agent ($a)
$a = new LWP::UserAgent;

# create a request ($r) on behalf of the originating client
$r = new HTTP::Request 'POST', "$fullPath";

# update the header
$r->content_type('text/html');

# fill the content with... content
$r->content("$content");

# POST the request and save the output ($o)
$o = $a->request($r);

# process the output
if ($o->is_success) {
	
	# pass the output back to the originating client
	print "Content-type: text/html\n\n";
	print $o, "\n";
	}

else {

	# redirect the client to an error page
	print "Location: http://www.lib.ncsu.edu/webspirs/error.html\n\n";
	}

# quit gracefully
exit;


Believe it or not, this script works, but subsequent interaction between
the client and licienced database server fails becuase the licienced
database server does not reconize IP address of the client.

How can I spoof the IP address of the originating client and pass it
along to the licienced database server in the script above? At first I
tried modifying the header of the HTTP request, but it does not contain
any IP-specific information about the client.

-- 
Eric Lease Morgan
NCSU Libraries
http://www.lib.ncsu.edu/staff/morgan/

Next message: Wayne A. Hogue II: "Re: spoofing IP addresses"
Previous message: lucas albers: "Simple question about libwwww module."