[Bug 1511222] [NEW] Incorrect trusted proxy match test in mod_remoteip

[Launchpad Bug Tracker]

You have been subscribed to a public bug by Robie Basak (racb):

Hi,

I checked and the latest version in trusty-updates is missing the patch
for PR 54651 (link below):

https://svn.apache.org/viewvc?view=revision&revision=1569006

This fixes the case where mod_remoteip  trusts multiple IP addresses in
X-Forwarded-For if the client IP is trusted. This allows anyone to spoof
the remote address by sending an X-Forwarded-For header to a trusted
proxy (which will append its own IP to it).

Is it possible to ship this patch in trusty-updates?

To answer the common questions:

$ lsb_release -rd
Description:    Ubuntu 14.04.3 LTS
Release:        14.04

$ apt-cache policy apache2-bin
apache2-bin:
  Installed: 2.4.7-1ubuntu4.8
  Candidate: 2.4.7-1ubuntu4.8
  Version table:
 *** 2.4.7-1ubuntu4.8 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4.5 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.4.7-1ubuntu4 0
        500 http://kartolo.sby.datautama.net.id/ubuntu/ trusty/main amd64 Packages

Expected to happen:  mod_remoteip should use the rightmost X-Forwarded-
For entry if the client IP is in the trusted proxy list. It should then
use the second rightmost entry if the rightmost entry is in the trusted
proxy list, and so on.

What happened instead: mod_remoteip always checks the client IP against
the trusted proxy list as it goes down the X-Forwarded-For entries. It
will always set the remote IP to the leftmost entry in X-Forwarded-For
if the client IP is trusted.

Regards,
William

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Incorrect trusted proxy match test in mod_remoteip
https://bugs.launchpad.net/bugs/1511222
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report.