Incorrect trusted proxy match test in mod_remoteip
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Apache2 Web Server |
Fix Released
|
Medium
|
|||
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Won't Fix
|
Medium
|
Wesley Wiedenmeier |
Bug Description
Hi,
I checked and the latest version in trusty-updates is missing the patch for PR 54651 (link below):
https:/
This fixes the case where mod_remoteip trusts multiple IP addresses in X-Forwarded-For if the client IP is trusted. This allows anyone to spoof the remote address by sending an X-Forwarded-For header to a trusted proxy (which will append its own IP to it).
Is it possible to ship this patch in trusty-updates?
To answer the common questions:
$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
$ apt-cache policy apache2-bin
apache2-bin:
Installed: 2.4.7-1ubuntu4.8
Candidate: 2.4.7-1ubuntu4.8
Version table:
*** 2.4.7-1ubuntu4.8 0
500 http://
100 /var/lib/
2.
500 http://
2.4.7-1ubuntu4 0
500 http://
Expected to happen: mod_remoteip should use the rightmost X-Forwarded-For entry if the client IP is in the trusted proxy list. It should then use the second rightmost entry if the rightmost entry is in the trusted proxy list, and so on.
What happened instead: mod_remoteip always checks the client IP against the trusted proxy list as it goes down the X-Forwarded-For entries. It will always set the remote IP to the leftmost entry in X-Forwarded-For if the client IP is trusted.
Regards,
William
summary: |
- Please include patch for Apache PR 54651 in trusty-updates + Incorrect trusted proxy match test in mod_remoteip |
Changed in apache2: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Changed in apache2 (Ubuntu Trusty): | |
assignee: | nobody → Wesley Wiedenmeier (wesley-wiedenmeier) |
I have confirmed a bug in mod_remoteip.c's remoteip_ modify_ request function.
This bug was reported by <email address hidden> in 2012 in this thread:
http:// mail-archives. apache. org/mod_ mbox/httpd- users/201210. mbox/%<email address hidden>%3E
The bug appears to still be in httpd/trunk.
The bug here is that, even though temp_sa gets assigned to a new IP with every iteration of the while-loop, the apr_ipsubnet_test continues to check the list of proxy match_ip against the same connection IP (using c->client_addr) over and over again. Thus, if c->client_addr matches, the code always walks to the very beginning of the X-Forwarded-For header.
--- modules/ metadata/ mod_remoteip. c (revision 1407459) metadata/ mod_remoteip. c (working copy)
+++ modules/
@@ -246,16 +246,16 @@
temp_sa = c->client_addr;
while (remote) {
- /* verify c->client_addr is trusted if there is a trusted proxy list >proxymatch_ ip) {
remoteip_ proxymatch_ t *match; proxymatch_ t *)config- >proxymatch_ ip->elts; >proxymatch_ ip->nelts; ++i) { test(match[ i].ip, c->client_addr)) { test(match[ i].ip, temp_sa)) {
internal = match[i].internal;
break;
+ /* verify temp_sa is trusted if there is a trusted proxy list
*/
if (config-
int i;
match = (remoteip_
for (i = 0; i < config-
- if (apr_ipsubnet_
+ if (apr_ipsubnet_
}
}
The fix is to replace apr_ipsubnet_ test(match[ i].ip, c->client_addr) with apr_ipsubnet_ test(match[ i].ip, temp_sa) , and to correct the mention of c->client_addr comment. Once fixed, the module works great.
To reproduce this bug, you have to setup mod_remoteip with these directives:
RemoteIPHeader X-Forwarded-For lProxy 127.0.0.1
RemoteIPInterna
Then, hit make two requests:
1) curl --header 'X-Forwarded-For: 1.2.3.4' http:// localhost: 80/ localhost: 80/
2) curl --header 'X-Forwarded-For: 1.2.3.4, 5.6.7.8' http://
For (1) the r->useragent_ip logged is expected to be 1.2.3.4 . The code behaves correctly for this case.
For (2) the r->useragent_ip logged should be 5.6.7.8 . The current code logs 1.2.3.4 still. This is not the behavior as documented because 5.6.7.8 is not configured to be "trusted".
EugeneL