Apache2 mod_remoteip+rewrite allows client to forge IP address

Bug #1769304 reported by Nicholas Sherlock on 2018-05-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description

Apache bug #60251 describes this problem:


mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header.

Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates?

information type: Private Security → Public Security
Changed in apache2 (Ubuntu):
status: New → Triaged
Andreas Hasenack (ahasenack) wrote :

This is fixed in bionic and later. Leaving a task open for xenial.

Links to the upstream fix:

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Changed in apache2 (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Andreas Hasenack (ahasenack) wrote :

Would be good to have a simple test case for this bug.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers