Apache2 mod_remoteip+rewrite allows client to forge IP address

Bug #1769304 reported by Nicholas Sherlock on 2018-05-05
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned

Bug Description

Apache bug #60251 describes this problem:

https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header.

Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates?

information type: Private Security → Public Security
Changed in apache2 (Ubuntu):
status: New → Triaged
Andreas Hasenack (ahasenack) wrote :

This is fixed in bionic and later. Leaving a task open for xenial.

Links to the upstream fix:
https://svn.apache.org/viewvc?view=revision&revision=1767483
https://github.com/apache/httpd/commit/950093162e445141c5126e4d11e6466e3184b0ce

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Changed in apache2 (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Andreas Hasenack (ahasenack) wrote :

Would be good to have a simple test case for this bug.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers