Bug 1181697 - httpd: IP address spoofing in mod_remoteip
Summary: httpd: IP address spoofing in mod_remoteip
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1181699
Blocks: 1181702
TreeView+ depends on / blocked
 
Reported: 2015-01-13 15:42 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:26 UTC (History)
17 users (show)

Fixed In Version: httpd 2.4.8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-30 07:07:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-13 15:42:58 UTC
It was reported [1] that mod_remoteip does not properly filter the IP addresses supplied in HTTP headers, which can allow a remote attacker to hide his real IP address, or bypass IP based restrictions.
This issue is fixed upstream:
https://svn.apache.org/viewvc?view=revision&revision=1564052

Additional information can be found at the below bugreports:
  https://issues.apache.org/bugzilla/show_bug.cgi?id=54651
  https://bugzilla.redhat.com/show_bug.cgi?id=1179306

[1]: http://mail-archives.apache.org/mod_mbox/httpd-users/201210.mbox/%3cCAHa2qaJSW7Hvk68grWMbbiFSA=zAxQ1nr_-A-K-pDWbAB0Gd1Q@mail.gmail.com%3e

Comment 1 Vasyl Kaigorodov 2015-01-13 15:43:25 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1181699]

Comment 3 Tomas Hoger 2015-03-17 12:28:26 UTC
The affected mod_remoteip module was introduced upstream in version 2.4:

http://httpd.apache.org/docs/2.4/new_features_2_4.html#newmods

Therefore, this issue did not affect httpd versions as shipped in Red Hat Enterprise Linux 6 and earlier, which include httpd 2.2 or earlier.

Issue was corrected upstream in version 2.4.8:

https://svn.apache.org/viewvc?view=revision&revision=1569006
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?revision=1569006&view=markup


Note You need to log in before you can comment on or make changes to this bug.