fix for #524

usually, ip addresses with multiple failed login attempts should be
blocked. An attacker could bypass this by sending an X-forwarded-for
header and change that IP with each attempt. Since REMMOTE_ADDR
is harder to fake we should first check that one and only if that one is
not set for some reason, rely on other variables.

wbce/framework/class.login.php

@@ -410,8 +410,13 @@ public function increase_attempts($increment = 1)
      */
     private function get_client_ip()
     {
-        $ipaddress = '';
-        if (isset($_SERVER['HTTP_CLIENT_IP'])) {
+	$ipaddress = '';
+	// for security reasons first check remote_addr which is more difficult to fake:
+	if (isset($_SERVER['REMOTE_ADDR'])) {
+	    $ipaddress = $this->get_server('REMOTE_ADDR');
+	} elseif (getenv('REMOTE_ADDR')) {
+	    $ipaddress = getenv('REMOTE_ADDR');
+	} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {
             $ipaddress = $this->get_server('HTTP_CLIENT_IP');
         } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
             $ipaddress = $this->get_server('HTTP_X_FORWARDED_FOR');
@@ -421,8 +426,6 @@ private function get_client_ip()
             $ipaddress = $this->get_server('HTTP_FORWARDED_FOR');
         } elseif (isset($_SERVER['HTTP_FORWARDED'])) {
             $ipaddress = $this->get_server('HTTP_FORWARDED');
-        } elseif (isset($_SERVER['REMOTE_ADDR'])) {
-            $ipaddress = $this->get_server('REMOTE_ADDR');
         } elseif (getenv('HTTP_CLIENT_IP')) {
             $ipaddress = getenv('HTTP_CLIENT_IP');
         } elseif (getenv('HTTP_X_FORWARDED_FOR')) {
@@ -433,8 +436,6 @@ private function get_client_ip()
             $ipaddress = getenv('HTTP_FORWARDED_FOR');
         } elseif (getenv('HTTP_FORWARDED')) {
             $ipaddress = getenv('HTTP_FORWARDED');
-        } elseif (getenv('REMOTE_ADDR')) {
-            $ipaddress = getenv('REMOTE_ADDR');
         } else {
             $ipaddress = 'UNKNOWN';
         }