Bug 1179306

Summary: mod_remoteip allows to set any client IP (fixed in upstream).
Product: Red Hat Enterprise Linux 7 Reporter: Joshua Brunner <j.brunner>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: isenfeld, j.brunner, jkaluza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.6-32.el7 Doc Type: Bug Fix
Doc Text:
Cause: When multiple, comma delimited useragent IP addresses were listed in the header value and handled by mod_remoteip, processing did not halt when a given client IP address was not trusted to preceding IP address. Consequence: It was possible to set any client IP address in mentioned case. Fix: Multiple IP addresses are now checked correctly and the processing halts properly in mentioned case. Result: It is no longer possible to set any client IP address that way using mod_remoteip.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 04:37:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joshua Brunner 2015-01-06 14:52:25 UTC 
Description of problem:
When multiple, comma delimited useragent IP addresses are listed in the header value, they are processed in Right-to-Left order. Processing DOES NOT HALT when a given useragent IP address is not trusted to present the preceding IP address.

Version-Release number of selected component (if applicable):
httpd-2.4.6-18.el7_0.x86_64

Steps to Reproduce:
1. yum install -y httpd
2. vi /etc/httpd/conf.d/remoteip.conf
    LoadModule remoteip_module modules/mod_remoteip.so
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy ::1
    CustomLog /var/log/httpd/remoteip "%a"
3. service httpd start
4. curl http://localhost -H "X-Forwarded-For: 1.1.1.1, 2.2.2.2"

Actual results:
1.1.1.1 is logged to: /var/log/httpd/remoteip

Expected results:
2.2.2.2 is logged to: /var/log/httpd/remoteip

Additional info:
Bug is fixed in upstream:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54651

Please patch mod_remoteip.c with r1564052 from upstream.
Comment 8 errata-xmlrpc 2015-11-19 04:37:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2194.html