** Description changed:
+ [Impact]
+
+ * remoteip/mod_rewrite and a proxy might allow faking the source URL
+
+ * TBD - once the fix was analyzed
+
+ [Test Case]
+
+ $ apt install apache2 libapache2-mod-php
+
+ define /etc/apache2/sites-enabled/000-default.conf as:
+ <VirtualHost *:8080>
+ DocumentRoot /var/www/html
+
+ <IfModule mod_remoteip.c>
+ RemoteIPInternalProxy 127.0.0.1
+ RemoteIPHeader X-Forwarded-For
+ </IfModule>
+
+ <Directory /var/www/html>
+ RewriteEngine On
+ RewriteRule .* index.php [L,QSA]
+ </Directory>
+ </VirtualHost>
+
+ In File /etc/apache2/ports.conf change
+ Listen 80
+ to
+ Listen 8080
+
+ $ sudo a2enmod rewrite
+ $ sudo a2enmod remoteip
+ $ sudo a2enmod php7.0
+ $ systemctl restart apache2
+
+ $ apt install nginx
+
+ define file /etc/nginx/sites-enabled/default as:
+ server {
+ listen 80 default_server;
+ root /var/www/html;
+ server_name _;
+
+ location / {
+ proxy_pass http://127.0.0.1:8080;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+ }
+
+ $ systemctl restart nginx
+
+ define file /var/www/html/index.php as:
+ <?php
+ echo $_SERVER['REMOTE_ADDR'] . "\n";
+ ?>
+
+ $ curl http://localhost/index.php
+ 127.0.0.1
+ $ curl http://localhost/seo-friendly-url
+ 127.0.0.1
+ $ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1"
+ 1.1.1.1
+
+ Expected:
+ - the last one should not be the fake 1.1.1.1
+ - if you do this from a remote host it should show the remote IP for all
three.
+
+ [Regression Potential]
+
+ * TBD
+
+ [Other Info]
+
+ * one can debate if this is a security issue (crafting of wrong origin
+ logs) or not but I'll leave that to other people.
+
+ ---
+
There is a bug in mod_remoteip (a part of Apache Web Server):
https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
Although the status of this bug is "NEW", actually it was fixed in Apache
2.4.24.
Although a CVE id was not requested yet, actually it is a vulnerability.
The fix was not backported to Ubuntu 16.04 (xenial).
Impact: if a victim uses Apache rewrite rules, then an attacker can
spoof his IP address for logs and PHP scripts.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apache2 2.4.18-2ubuntu3.14
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
Apache2ConfdDirListing: False
ApportVersion: 2.20.1-0ubuntu2.23
Architecture: amd64
Date: Mon Apr 27 13:17:43 2020
SourcePackage: apache2
UpgradeStatus: No upgrade log present (probably fresh install)
error.log:
-
+
modified.conffile..etc.apache2.apache2.conf: [modified]
modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
modified.conffile..etc.apache2.ports.conf: [modified]
modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
mtime.conffile..etc.apache2.mods-available.dir.conf:
2020-04-23T12:03:13.711062
mtime.conffile..etc.apache2.mods-available.ssl.conf:
2020-04-23T12:02:44.854484
mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
mtime.conffile..etc.apache2.sites-available.000-default.conf:
2020-04-23T15:45:48.197030
mtime.conffile..etc.apache2.sites-available.default-ssl.conf:
2020-04-23T15:45:48.225022
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299
Title:
Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
mod_rewrite rule is triggered
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
