Apache2 mod_remoteip+rewrite allows client to forge IP address
Bug #1769304 reported by
Nicholas Sherlock
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Xenial |
Won't Fix
|
Medium
|
Unassigned | ||
Bug Description
Apache bug #60251 describes this problem:
https:/
mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header.
Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates?
| information type: | Private Security → Public Security |
| Changed in apache2 (Ubuntu): | |
| status: | New → Triaged |
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | #1 |
| Changed in apache2 (Ubuntu): | |
| status: | Triaged → Fix Released |
| Changed in apache2 (Ubuntu Xenial): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
Revision history for this message
| Andreas Hasenack (ahasenack) wrote | #2 |
Revision history for this message
| Bryce Harrington (bryce) wrote | #3 |
| Changed in apache2 (Ubuntu Xenial): | |
| status: | Triaged → Won't Fix |
To post a comment you must log in.
This is fixed in bionic and later. Leaving a task open for xenial.
Links to the upstream fix:
https:/
https:/