Bug 1179306 - mod_remoteip allows to set any client IP (fixed in upstream).
mod_remoteip allows to set any client IP (fixed in upstream).
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Web Stack Team
Martin Frodl
Depends On:
  Show dependency treegraph
Reported: 2015-01-06 09:52 EST by Joshua Brunner
Modified: 2015-11-18 23:37 EST (History)
3 users (show)

See Also:
Fixed In Version: httpd-2.4.6-32.el7
Doc Type: Bug Fix
Doc Text:
Cause: When multiple, comma delimited useragent IP addresses were listed in the header value and handled by mod_remoteip, processing did not halt when a given client IP address was not trusted to preceding IP address. Consequence: It was possible to set any client IP address in mentioned case. Fix: Multiple IP addresses are now checked correctly and the processing halts properly in mentioned case. Result: It is no longer possible to set any client IP address that way using mod_remoteip.
Story Points: ---
Clone Of:
Last Closed: 2015-11-18 23:37:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 54651 None None None Never

  None (edit)
Description Joshua Brunner 2015-01-06 09:52:25 EST
Description of problem:
When multiple, comma delimited useragent IP addresses are listed in the header value, they are processed in Right-to-Left order. Processing DOES NOT HALT when a given useragent IP address is not trusted to present the preceding IP address.

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. yum install -y httpd
2. vi /etc/httpd/conf.d/remoteip.conf
    LoadModule remoteip_module modules/mod_remoteip.so
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy ::1
    CustomLog /var/log/httpd/remoteip "%a"
3. service httpd start
4. curl http://localhost -H "X-Forwarded-For:,"

Actual results: is logged to: /var/log/httpd/remoteip

Expected results: is logged to: /var/log/httpd/remoteip

Additional info:
Bug is fixed in upstream:

Please patch mod_remoteip.c with r1564052 from upstream.
Comment 8 errata-xmlrpc 2015-11-18 23:37:00 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.