Apache2 mod_remoteip+rewrite allows client to forge IP address
Bug #1769304 reported by
Nicholas Sherlock
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Apache bug #60251 describes this problem:
https:/
mod_remoteip allows us to set the client's IP address using a trusted proxy's X-Forwarded-For header. However, in a location which uses a RewriteRule, the last IP address in the chain is incorrectly stripped while redirecting to the new location, allowing a caller to forge whatever IP address they like by including it in an X-Forwarded-For header.
Version 2.4.18-2ubuntu3.8 is vulnerable to this in Xenial. This is fixed upstream in 2.4.24, can the fix be backported to xenial-updates?
information type: | Private Security → Public Security |
Changed in apache2 (Ubuntu): | |
status: | New → Triaged |
To post a comment you must log in.
This is fixed in bionic and later. Leaving a task open for xenial.
Links to the upstream fix: /svn.apache. org/viewvc? view=revision& revision= 1767483 /github. com/apache/ httpd/commit/ 950093162e44514 1c5126e4d11e646 6e3184b0ce
https:/
https:/