Closed gabcoh closed 6 years ago
It is very easy to spoof your IP by just setting the 'Client-IP' header in your HTTP request. This allows you to bypass the IP check and vote multiple times. This is due to the get_ipaddress function looking first for the IP in user supplied headers, rather than the server populated 'REMOTE_ADDR' https://github.com/lesterchan/wp-polls/blob/b85b3beffa84cb468ba80ccf60a597f4124e20c1/wp-polls.php#L724
'Client-IP'
get_ipaddress
'REMOTE_ADDR'
I would understand if this is supposed to allow people to vote behind proxies, but otherwise it seems like a bug.
p.s. other than this, great work! I really like the plugin!
It is very easy to spoof your IP by just setting the
'Client-IP'header in your HTTP request. This allows you to bypass the IP check and vote multiple times. This is due to theget_ipaddressfunction looking first for the IP in user supplied headers, rather than the server populated'REMOTE_ADDR'https://github.com/lesterchan/wp-polls/blob/b85b3beffa84cb468ba80ccf60a597f4124e20c1/wp-polls.php#L724I would understand if this is supposed to allow people to vote behind proxies, but otherwise it seems like a bug.
p.s. other than this, great work! I really like the plugin!