Apache2 mod_remoteip+rewrite allows client to forge IP address

Bug #1769304 reported by Nicholas Sherlock on 2018-05-05
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

Apache bug #60251 describes this problem:

https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header.

Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates?

information type: Private Security → Public Security
Changed in apache2 (Ubuntu):
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers