group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1875299@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Jul 2020 21:53:41 -0000
Reply-to: Bug 1875299 <1875299@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apache2 - 2.4.18-2ubuntu3.15

---------------
apache2 (2.4.18-2ubuntu3.15) xenial; urgency=medium

  * d/p/lp-1875299-Merge-r1688399-from-trunk.patch: use r_useragent_addr as
    the root trusted address (LP: #1875299)

 -- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>  Mon, 15 Jun
2020 16:09:55 +0200

** Changed in: apache2 (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1875299

Title:
  Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
  mod_rewrite rule is triggered

Status in apache2 package in Ubuntu:
  Fix Released
Status in apache2 source package in Xenial:
  Fix Released
Status in apache2 package in Debian:
  New

Bug description:
  [Impact]

   * remoteip/mod_rewrite and a proxy might allow faking the source URL

   * Fix by backporting an upstream change added in 2.4.24 and later (was not
     changed since the fix).

   * The fix is small and only changes behavior in a very special case that
     formerly was broken (if there was a useragent_addr on re-processing).
     For other cases the behavior is unchanged.

  [Test Case]

  $ apt install apache2 libapache2-mod-php

  define /etc/apache2/sites-enabled/000-default.conf as:
  <VirtualHost *:8080>
          DocumentRoot /var/www/html

          <IfModule mod_remoteip.c>
                  RemoteIPInternalProxy 127.0.0.1
                  RemoteIPHeader X-Forwarded-For
          </IfModule>

          <Directory /var/www/html>
                  RewriteEngine On
                  RewriteRule .* index.php [L,QSA]
          </Directory>
  </VirtualHost>

  In File /etc/apache2/ports.conf change
  Listen 80
  to
  Listen 8080

  $ sudo a2enmod rewrite
  $ sudo a2enmod remoteip
  $ sudo a2enmod php7.0
  $ systemctl restart apache2

  $ apt install nginx

  define file /etc/nginx/sites-enabled/default as:
  server {
          listen 80 default_server;
          root /var/www/html;
          server_name _;

          location / {
                  proxy_pass http://127.0.0.1:8080;
                  proxy_set_header Host $host;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }
  }

  $ systemctl restart nginx

  define file /var/www/html/index.php as:
  <?php
  echo $_SERVER['REMOTE_ADDR'] . "\n";
  ?>

  You need to do the following from a second host in the same network,
  do not use "localhost" as there it can't differentiate the processing
  no matter if fixed or not.

  $ curl http://<IP>/index.php
  127.0.0.1
  $ curl http://<IP>/seo-friendly-url
  127.0.0.1
  $ curl http://<IP>/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1"
  1.1.1.1

  Expected:
  - the last one should not be the fake 1.1.1.1
  - if you do this from a remote host it should show the remote IP for all three.

  [Regression Potential]

   * If remote_ip isn' enabled (the common case) the change should be a no-
     op. It only is important when using remote_ip and processing things
     twice e.g. on an error handler. There due to an issue it allowed to fake
     the RemoteIP. Fixing that should fix the issue, but not break other
     things - if anywhere then remoteIP handling would be the one expected to
     see regressions of any sort, but most likely only if people started to
     rely on the bad behavior.

  [Other Info]

   * one can debate if this is a security issue (crafting of wrong origin
     logs) or not but I'll leave that to other people.

  ---

  There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
  Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.
  Although a CVE id was not requested yet, actually it is a vulnerability.

  The fix was not backported to Ubuntu 16.04 (xenial).

  Impact: if a victim uses Apache rewrite rules, then an attacker can
  spoof his IP address for logs and PHP scripts.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: apache2 2.4.18-2ubuntu3.14
  ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
  Uname: Linux 4.4.0-22-generic x86_64
  Apache2ConfdDirListing: False
  ApportVersion: 2.20.1-0ubuntu2.23
  Architecture: amd64
  Date: Mon Apr 27 13:17:43 2020
  SourcePackage: apache2
  UpgradeStatus: No upgrade log present (probably fresh install)
  error.log:

  modified.conffile..etc.apache2.apache2.conf: [modified]
  modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
  modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
  mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
  mtime.conffile..etc.apache2.mods-available.dir.conf: 2020-04-23T12:03:13.711062
  mtime.conffile..etc.apache2.mods-available.ssl.conf: 2020-04-23T12:02:44.854484
  mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 2020-04-23T15:45:48.197030
  mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-04-23T15:45:48.225022

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions