When a user connects through an indirect method, such web clients, the indirect client sends its own IP address instead of sending the user's IP address unless WebIRC is implemented by both the client and the server.
Before the client sends the PASS, USER or NICK commands it should send:
WEBIRC password user hostname ip
Where each of the tokens in the above is replaced with the following:
passwordPassword that authenticates the WEBIRC command from this client.
userUser or client requesting spoof (cgiirc defaults to cgiirc).
hostnameHostname of user.
ipIP address either in IPv4 dotted quad notation (e.g. 192.0.0.2) or IPv6 notation (e.g. 1234:5678:9abc::def). IPv4-in-IPv6 addresses (e.g. ::ffff:192.0.0.2) should not be sent.
The password should be agreed previously with the IRC server that the client is connecting to. Normally this will be defined in the configuration file.
The server should limit the hosts from which a WEBIRC command is accepted from. Anyone with a valid password and host to connect from can spoof any hostname they desire, this is mostly by design. (It would be possible for the IRCD to check that the IP matches the hostname to stop spoofing of any host.) It is therefore possible to use this to bypass most kinds of ban. It is recommended the IRCD provides a method to find the original host and shows that WEBIRC is in use (to IRC operators at least) in order to provide a way to deal with abuse.