Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Debian) |
New
|
Undecided
|
Unassigned | ||
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* remoteip/
* Fix by backporting an upstream change added in 2.4.24 and later (was not
changed since the fix).
* The fix is small and only changes behavior in a very special case that
formerly was broken (if there was a useragent_addr on re-processing).
For other cases the behavior is unchanged.
[Test Case]
$ apt install apache2 libapache2-mod-php
define /etc/apache2/
<VirtualHost *:8080>
<IfModule mod_remoteip.c>
</IfModule>
<Directory /var/www/html>
</VirtualHost>
In File /etc/apache2/
Listen 80
to
Listen 8080
$ sudo a2enmod rewrite
$ sudo a2enmod remoteip
$ sudo a2enmod php7.0
$ systemctl restart apache2
$ apt install nginx
define file /etc/nginx/
server {
listen 80 default_server;
root /var/www/html;
server_name _;
location / {
}
}
$ systemctl restart nginx
define file /var/www/
<?php
echo $_SERVER[
?>
You need to do the following from a second host in the same network, do not use "localhost" as there it can't differentiate the processing no matter if fixed or not.
$ curl http://<IP>/index.php
127.0.0.1
$ curl http://<IP>/seo-
127.0.0.1
$ curl http://<IP>/seo-
1.1.1.1
Expected:
- the last one should not be the fake 1.1.1.1
- if you do this from a remote host it should show the remote IP for all three.
[Regression Potential]
* If remote_ip isn' enabled (the common case) the change should be a no-
op. It only is important when using remote_ip and processing things
twice e.g. on an error handler. There due to an issue it allowed to fake
the RemoteIP. Fixing that should fix the issue, but not break other
things - if anywhere then remoteIP handling would be the one expected to
see regressions of any sort, but most likely only if people started to
rely on the bad behavior.
[Other Info]
* one can debate if this is a security issue (crafting of wrong origin
logs) or not but I'll leave that to other people.
---
There is a bug in mod_remoteip (a part of Apache Web Server): https:/
Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.
Although a CVE id was not requested yet, actually it is a vulnerability.
The fix was not backported to Ubuntu 16.04 (xenial).
Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apache2 2.4.18-2ubuntu3.14
ProcVersionSign
Uname: Linux 4.4.0-22-generic x86_64
Apache2ConfdDir
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Apr 27 13:17:43 2020
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
modified.
modified.
modified.
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 79 lines (+57/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp-1875299-Merge-r1688399-from-trunk.patch (+49/-0)
debian/patches/series (+1/-0)
summary: |
- Apache's mod_repoteip: IP spoofing via X-Forwarded-For when mod_rewrite + Apache's mod_remoteip: IP spoofing via X-Forwarded-For when mod_rewrite rule is triggered |
summary: |
- Apache's mod_remoteip: IP spoofing via X-Forwarded-For when mod_rewrite - rule is triggered + Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when + mod_rewrite rule is triggered |
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
status: | Confirmed → Fix Released |
description: | updated |
description: | updated |
If you feel this is a real security vulnerability which has not received a CVE, you could try discuss with the apache developers and once a CVE has been assigned the Ubuntu Security team can fix it via a security update for Apache. Otherwise, this could be addressed via the Stable Release Update (SRU) process otherwise - https:/ /wiki.ubuntu. com/StableRelea seUpdates