https://bugzilla.redhat.com/show_bug.cgi?id=1174872
Bug ID: 1174872
Summary: rabbitmq-server: insufficient 'X-Forwarded-For' header
validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected], [email protected],
[email protected]
In RabbitMQ, the 'loopback_users' configuration directive allows to specify a
list of users that are only permitted to connect to the broker via localhost.
It was found that the RabbitMQ's management plug-in did not sufficiently
validate the 'X-Forwarded-For' header when determining the remote address. A
remote attacker able to send a specially crafted 'X-Forwarded-For' header to
RabbitMQ could use this flaw to connect to the broker as if they were a
localhost user. Note that the attacker must know valid user credentials in
order to connect to the broker.
Upstream patches:
http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
References:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
http://www.rabbitmq.com/release-notes/README-3.4.0.txt
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
erlang mailing list
[email protected]
https://lists.fedoraproject.org/mailman/listinfo/erlang
