2.4.24 30060fb18dcbb189d66bcc5a6f66f50fe7d5d3d4 2.4.18 b82d3c64494b7a59c13f03d169631177c1f6170d
Notes to not-nice-but-working build from git :-): $ git clean -x -f -d $ wget https://apache.mirror.digionline.de//apr/apr-util-1.6.1.tar.gz -O /tmp/apru.tgz $ wget https://apache.mirror.digionline.de//apr/apr-1.7.0.tar.gz -O /tmp/apr.tgz $ tar -xf /tmp/apr.tgz -C srclib/ $ tar -xf /tmp/apru.tgz -C srclib/ $ mv srclib/apr-1.7.0 srclib/apr $ mv srclib/apr-util-1.6.1 srclib/apr-util $ ./buildconf $ ./configure --enable-layout=Debian --enable-so --with-program-name=apache2 --enable-suexec --with-suexec-caller=www-data --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec.log --with-suexec-uidmin=100 --enable-suexec=shared --enable-log-config=static --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config --with-pcre=yes --enable-pie --enable-mpms-shared=all --enable-mods-shared="all cgi ident proxy_fdpass" --enable-mods-static="unixd logio watchdog version" CFLAGS="-pipe" LDFLAGS="-Wl,--as-needed" LTFLAGS="--no-silent" $ printf "all:\n\techo yeah\ninstall:\n\techo yeah" > srclib/Makefile $ make $ make install $ md5sum /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2; ll /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2 $ systemctl restart apache2 2.2.24 a956ffb3146d4d573c9d5b558f425543 /usr/lib/apache2/modules/mod_remoteip.so 3da6c1a5cd722a5929dbcd7aec3b25da /usr/lib/apache2/modules/mod_rewrite.so d1bdb21f7aaf9863fd50edd0f47686ab /usr/sbin/apache2 -rwxr-xr-x 1 root root 18288 Jun 16 08:04 /usr/lib/apache2/modules/mod_remoteip.so* -rwxr-xr-x 1 root root 96384 Jun 16 08:05 /usr/lib/apache2/modules/mod_rewrite.so* -rwxr-xr-x 1 root root 933200 Jun 16 08:05 /usr/sbin/apache2* => works 2.2.18 8bbf7be2a5a718045f85eb88e5cf3c98 /usr/lib/apache2/modules/mod_remoteip.so bbb2b45e6c1da8e346b19e223fafe6c5 /usr/lib/apache2/modules/mod_rewrite.so 2877029808bfd25df927bc1068d6f4c0 /usr/sbin/apache2 -rwxr-xr-x 1 root root 18288 Jun 16 08:28 /usr/lib/apache2/modules/mod_remoteip.so* -rwxr-xr-x 1 root root 96264 Jun 16 08:28 /usr/lib/apache2/modules/mod_rewrite.so* -rwxr-xr-x 1 root root 898528 Jun 16 08:28 /usr/sbin/apache2* => Fails This already looked like git-bisect land, when on testing these builds I found that the local test: $ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1" can still be fooled while at the same time any remote access like $ curl 10.253.194.202/foo -H "X-Forwarded-For: 1.1.1.1" responds to the fix as expected. Once that was learned I can say that my fix in the PPA actually works, the only change is that the curl test has to be from another host. @Marcus - can you confirm that in your testing? ** Description changed: [Impact] * remoteip/mod_rewrite and a proxy might allow faking the source URL - * Fix by backporting an upstream change added in 2.4.24 and later (was not - changed since the fix). + * Fix by backporting an upstream change added in 2.4.24 and later (was not + changed since the fix). - * The fix is small and only changes behavior in a very special case that - formerly was broken (if there was a useragent_addr on re-processing). - For other cases the behavior is unchanged. + * The fix is small and only changes behavior in a very special case that + formerly was broken (if there was a useragent_addr on re-processing). + For other cases the behavior is unchanged. [Test Case] $ apt install apache2 libapache2-mod-php define /etc/apache2/sites-enabled/000-default.conf as: <VirtualHost *:8080> DocumentRoot /var/www/html <IfModule mod_remoteip.c> RemoteIPInternalProxy 127.0.0.1 RemoteIPHeader X-Forwarded-For </IfModule> <Directory /var/www/html> RewriteEngine On RewriteRule .* index.php [L,QSA] </Directory> </VirtualHost> In File /etc/apache2/ports.conf change Listen 80 to Listen 8080 $ sudo a2enmod rewrite $ sudo a2enmod remoteip $ sudo a2enmod php7.0 $ systemctl restart apache2 $ apt install nginx define file /etc/nginx/sites-enabled/default as: server { listen 80 default_server; root /var/www/html; server_name _; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } $ systemctl restart nginx define file /var/www/html/index.php as: <?php echo $_SERVER['REMOTE_ADDR'] . "\n"; ?> - $ curl http://localhost/index.php + You need to do the following from a second host in the same network, do + not use "localhost" as there it can't differentiate the processing no + matter if fixed or not. + + $ curl http://<IP>/index.php 127.0.0.1 - $ curl http://localhost/seo-friendly-url + $ curl http://<IP>/seo-friendly-url 127.0.0.1 - $ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1" + $ curl http://<IP>/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1" 1.1.1.1 Expected: - the last one should not be the fake 1.1.1.1 - if you do this from a remote host it should show the remote IP for all three. [Regression Potential] * If remote_ip isn' enabled (the common case) the change should be a no- - op. It only is important when using remote_ip and processing things - twice e.g. on an error handler. There due to an issue it allowed to fake - the RemoteIP. Fixing that should fix the issue, but not break other - things - if anywhere then remoteIP handling would be the one expected to - see regressions of any sort, but most likely only if people started to - rely on the bad behavior. + op. It only is important when using remote_ip and processing things + twice e.g. on an error handler. There due to an issue it allowed to fake + the RemoteIP. Fixing that should fix the issue, but not break other + things - if anywhere then remoteIP handling would be the one expected to + see regressions of any sort, but most likely only if people started to + rely on the bad behavior. [Other Info] * one can debate if this is a security issue (crafting of wrong origin logs) or not but I'll leave that to other people. --- There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251 Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24. Although a CVE id was not requested yet, actually it is a vulnerability. The fix was not backported to Ubuntu 16.04 (xenial). Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apache2 2.4.18-2ubuntu3.14 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 Apache2ConfdDirListing: False ApportVersion: 2.20.1-0ubuntu2.23 Architecture: amd64 Date: Mon Apr 27 13:17:43 2020 SourcePackage: apache2 UpgradeStatus: No upgrade log present (probably fresh install) error.log: modified.conffile..etc.apache2.apache2.conf: [modified] modified.conffile..etc.apache2.mods-available.dir.conf: [modified] modified.conffile..etc.apache2.mods-available.ssl.conf: [modified] modified.conffile..etc.apache2.ports.conf: [modified] modified.conffile..etc.apache2.sites-available.000-default.conf: [modified] modified.conffile..etc.apache2.sites-available.default-ssl.conf: [modified] mtime.conffile..etc.apache2.apache2.conf: 2020-04-23T15:45:48.416970 mtime.conffile..etc.apache2.mods-available.dir.conf: 2020-04-23T12:03:13.711062 mtime.conffile..etc.apache2.mods-available.ssl.conf: 2020-04-23T12:02:44.854484 mtime.conffile..etc.apache2.ports.conf: 2020-04-23T15:45:48.169037 mtime.conffile..etc.apache2.sites-available.000-default.conf: 2020-04-23T15:45:48.197030 mtime.conffile..etc.apache2.sites-available.default-ssl.conf: 2020-04-23T15:45:48.225022 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1875299 Title: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
