group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #35810
[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
After configuring nginx and apache, the file index.php has to be placed
in the document root directory (/var/www/html). This PHP file outputs
the value of the variable $_SERVER['REMOTE_ADDR'] which should always
carry the client's real IP address and should always contain trustworthy
values when being processed by a webserver.
In order to keep this simple, the following IPv4 addresses will be used:
Server IP: 192.168.1.1
Client IP: 192.168.2.2
Now our client wants to access our site by using the following command:
curl http://192.168.1.1/index.php
Output: 192.168.2.2 (As expected, the real IP address of the requesting client)
Let's assume the client accesses a SEO friendly URL and should be
internally redirected to the file index.php. To test this, the following
curl command can be used:
curl http://192.168.1.1/seo-friendly-url/
Output: 192.168.2.2 (As expected)
So far so good. Let's assume our client provides the header X-Forwarded-
For with an arbitrary IP address:
curl http://192.168.1.1/seo-friendly-url/ -H "X-Forwarded-For: 1.1.1.1"
Output: 1.1.1.1 (Unexpected; should contain the real IP address instead of the Header value)
I hope the supplied configuration files and this short explanation can be of help. I am happy to provide additional information if needed.
** Also affects: apache2 (Debian)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
mod_rewrite rule is triggered
Status in apache2 package in Ubuntu:
Confirmed
Status in apache2 source package in Xenial:
Triaged
Status in apache2 package in Debian:
New
Bug description:
There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.
Although a CVE id was not requested yet, actually it is a vulnerability.
The fix was not backported to Ubuntu 16.04 (xenial).
Impact: if a victim uses Apache rewrite rules, then an attacker can
spoof his IP address for logs and PHP scripts.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apache2 2.4.18-2ubuntu3.14
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
Apache2ConfdDirListing: False
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Apr 27 13:17:43 2020
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
modified.conffile..etc.apache2.apache2.conf: [modified]
modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
mtime.conffile..etc.apache2.mods-available.dir.conf: 2020-04-23T12:03:13.711062
mtime.conffile..etc.apache2.mods-available.ssl.conf: 2020-04-23T12:02:44.854484
mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
mtime.conffile..etc.apache2.sites-available.000-default.conf: 2020-04-23T15:45:48.197030
mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-04-23T15:45:48.225022
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions
