This fixes the case where mod_remoteip trusts multiple IP addresses in X-Forwarded-For if the client IP is trusted. This allows anyone to spoof the remote address by sending an X-Forwarded-For header to a trusted proxy (which will append its own IP to it).
Is it possible to ship this patch in trusty-updates?
Expected to happen: mod_remoteip should use the rightmost X-Forwarded-For entry if the client IP is in the trusted proxy list. It should then use the second rightmost entry if the rightmost entry is in the trusted proxy list, and so on.
What happened instead: mod_remoteip always checks the client IP against the trusted proxy list as it goes down the X-Forwarded-For entries. It will always set the remote IP to the leftmost entry in X-Forwarded-For if the client IP is trusted.
Hi,
I checked and the latest version in trusty-updates is missing the patch for PR 54651 (link below):
https:/ /svn.apache. org/viewvc? view=revision& revision= 1569006
This fixes the case where mod_remoteip trusts multiple IP addresses in X-Forwarded-For if the client IP is trusted. This allows anyone to spoof the remote address by sending an X-Forwarded-For header to a trusted proxy (which will append its own IP to it).
Is it possible to ship this patch in trusty-updates?
To answer the common questions:
$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
$ apt-cache policy apache2-bin kartolo. sby.datautama. net.id/ ubuntu/ trusty-updates/main amd64 Packages dpkg/status 4.7-1ubuntu4. 5 0 security. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages kartolo. sby.datautama. net.id/ ubuntu/ trusty/main amd64 Packages
apache2-bin:
Installed: 2.4.7-1ubuntu4.8
Candidate: 2.4.7-1ubuntu4.8
Version table:
*** 2.4.7-1ubuntu4.8 0
500 http://
100 /var/lib/
2.
500 http://
2.4.7-1ubuntu4 0
500 http://
Expected to happen: mod_remoteip should use the rightmost X-Forwarded-For entry if the client IP is in the trusted proxy list. It should then use the second rightmost entry if the rightmost entry is in the trusted proxy list, and so on.
What happened instead: mod_remoteip always checks the client IP against the trusted proxy list as it goes down the X-Forwarded-For entries. It will always set the remote IP to the leftmost entry in X-Forwarded-For if the client IP is trusted.
Regards,
William