[Bug 1875299] Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

Mon, 15 Jun 2020 07:36:27 -0700 

** Description changed:

  [Impact]
  
-  * remoteip/mod_rewrite and a proxy might allow faking the source URL
+  * remoteip/mod_rewrite and a proxy might allow faking the source URL
  
-  * TBD - once the fix was analyzed
+  * Fix by backporting an upstream change added in 2.4.24 and later (was not 
+    changed since the fix).
+ 
+  * The fix is small and only changes behavior in a very special case that 
+    formerly was broken (if there was a useragent_addr on re-processing). 
+    For other cases the behavior is unchanged.
  
  [Test Case]
  
  $ apt install apache2 libapache2-mod-php
  
  define /etc/apache2/sites-enabled/000-default.conf as:
  <VirtualHost *:8080>
-         DocumentRoot /var/www/html
+         DocumentRoot /var/www/html
  
-         <IfModule mod_remoteip.c>
-                 RemoteIPInternalProxy 127.0.0.1
-                 RemoteIPHeader X-Forwarded-For
-         </IfModule>
+         <IfModule mod_remoteip.c>
+                 RemoteIPInternalProxy 127.0.0.1
+                 RemoteIPHeader X-Forwarded-For
+         </IfModule>
  
-         <Directory /var/www/html>
-                 RewriteEngine On
-                 RewriteRule .* index.php [L,QSA]
-         </Directory>
+         <Directory /var/www/html>
+                 RewriteEngine On
+                 RewriteRule .* index.php [L,QSA]
+         </Directory>
  </VirtualHost>
  
  In File /etc/apache2/ports.conf change
  Listen 80
  to
  Listen 8080
  
  $ sudo a2enmod rewrite
  $ sudo a2enmod remoteip
  $ sudo a2enmod php7.0
  $ systemctl restart apache2
  
  $ apt install nginx
  
  define file /etc/nginx/sites-enabled/default as:
  server {
-         listen 80 default_server;
-         root /var/www/html;
-         server_name _;
+         listen 80 default_server;
+         root /var/www/html;
+         server_name _;
  
-         location / {
-                 proxy_pass http://127.0.0.1:8080;
-                 proxy_set_header Host $host;
-                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-         }
+         location / {
+                 proxy_pass http://127.0.0.1:8080;
+                 proxy_set_header Host $host;
+                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+         }
  }
  
  $ systemctl restart nginx
  
  define file /var/www/html/index.php as:
  <?php
  echo $_SERVER['REMOTE_ADDR'] . "\n";
  ?>
  
  $ curl http://localhost/index.php
  127.0.0.1
  $ curl http://localhost/seo-friendly-url
  127.0.0.1
  $ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1"
  1.1.1.1
  
  Expected:
  - the last one should not be the fake 1.1.1.1
  - if you do this from a remote host it should show the remote IP for all 
three.
  
  [Regression Potential]
  
-  * TBD
+  * If remote_ip isn' enabled (the common case) the change should be a no-
+    op. It only is important when using remote_ip and processing things 
+    twice e.g. on an error handler. There due to an issue it allowed to fake 
+    the RemoteIP. Fixing that should fix the issue, but not break other 
+    things - if anywhere then remoteIP handling would be the one expected to 
+    see regressions of any sort, but most likely only if people started to 
+    rely on the bad behavior.
  
  [Other Info]
-  
-  * one can debate if this is a security issue (crafting of wrong origin 
-    logs) or not but I'll leave that to other people.
+ 
+  * one can debate if this is a security issue (crafting of wrong origin
+    logs) or not but I'll leave that to other people.
  
  ---
  
  There is a bug in mod_remoteip (a part of Apache Web Server): 
https://bz.apache.org/bugzilla/show_bug.cgi?id=60251
  Although the status of this bug is "NEW", actually it was fixed in Apache 
2.4.24.
  Although a CVE id was not requested yet, actually it is a vulnerability.
  
  The fix was not backported to Ubuntu 16.04 (xenial).
  
  Impact: if a victim uses Apache rewrite rules, then an attacker can
  spoof his IP address for logs and PHP scripts.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: apache2 2.4.18-2ubuntu3.14
  ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
  Uname: Linux 4.4.0-22-generic x86_64
  Apache2ConfdDirListing: False
  ApportVersion: 2.20.1-0ubuntu2.23
  Architecture: amd64
  Date: Mon Apr 27 13:17:43 2020
  SourcePackage: apache2
  UpgradeStatus: No upgrade log present (probably fresh install)
  error.log:
  
  modified.conffile..etc.apache2.apache2.conf: [modified]
  modified.conffile..etc.apache2.mods-available.dir.conf: [modified]
  modified.conffile..etc.apache2.mods-available.ssl.conf: [modified]
  modified.conffile..etc.apache2.ports.conf: [modified]
  modified.conffile..etc.apache2.sites-available.000-default.conf: [modified]
  modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified]
  mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970
  mtime.conffile..etc.apache2.mods-available.dir.conf: 
2020-04-23T12:03:13.711062
  mtime.conffile..etc.apache2.mods-available.ssl.conf: 
2020-04-23T12:02:44.854484
  mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037
  mtime.conffile..etc.apache2.sites-available.000-default.conf: 
2020-04-23T15:45:48.197030
  mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 
2020-04-23T15:45:48.225022

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1875299

Title:
  Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when
  mod_rewrite rule is triggered

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to