It was reported [1] that mod_remoteip does not properly filter the IP addresses supplied in HTTP headers, which can allow a remote attacker to hide his real IP address, or bypass IP based restrictions. This issue is fixed upstream: https://svn.apache.org/viewvc?view=revision&revision=1564052 Additional information can be found at the below bugreports: https://issues.apache.org/bugzilla/show_bug.cgi?id=54651 https://bugzilla.redhat.com/show_bug.cgi?id=1179306 [1]: http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3cCAHa2qaJSW7Hvk68grWMbbiFSA=zAxQ1nr_-A-K-pDWbAB0Gd1Q@mail.gmail.com%3e
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1181699]
The affected mod_remoteip module was introduced upstream in version 2.4: http://httpd.apache.org/docs/2.4/new_features_2_4.html#newmods Therefore, this issue did not affect httpd versions as shipped in Red Hat Enterprise Linux 6 and earlier, which include httpd 2.2 or earlier. Issue was corrected upstream in version 2.4.8: https://svn.apache.org/viewvc?view=revision&revision=1569006 https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?revision=1569006&view=markup