\Engine_IP::getRealRemoteAddress
Happily accepts anything as the client’s IP address from the $_SERVER
global.
Malformed or malicious client requests thus can inject arbitrary strings into it, and as real life shows, they do supply strings like ‘unknown’ which causes the PHP warning mentioned in this issue’s title.
To fix this, edit the following file as below: application/libraries/Engine/IP.php
--- a/web/application/libraries/Engine/IP.php +++ b/web/application/libraries/Engine/IP.php @@ -320,10 +320,12 @@ $asIPv6 = self::$_preferIPv6; } + $address = filter_var($address, FILTER_VALIDATE_IP); + if( $asIPv6 ) { return self::convertIPv4to6($address); } else { return $address; } }
SocialEngine will be adding this little modification into their next release so i am informed.
Looking for quality SocialEngine Hosting? Look no further than Arvixe Web Hosting