Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered

To: "debian-lts@lists.debian.org" <debian-lts@lists.debian.org>
Cc: security <security@plesk.com>
Subject: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
From: Andrey Zelenchuk <azelenchuk@plesk.com>
Date: Wed, 29 Apr 2020 07:00:38 +0000
Message-id: <[🔎] VI1PR09MB270239480458B1895BC5BFE5D8AD0@VI1PR09MB2702.eurprd09.prod.outlook.com>

Package: apache2

Version: 2.4.10-10+deb8u16

Severity: grave

Tags: security

Dear Maintainer,

There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.

Although a CVE id was not requested yet, actually it is a vulnerability.

The fix was not backported to Debian 8 (jessie).

Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts.

--

Andrey Zelenchuk

Plesk | Security team

Reply to:

Follow-Ups:
- Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: dla-needed.txt: Add note on CVE-2020-1769 in otrs2.
Next by Date: Re: dla-needed.txt: Add note on CVE-2020-1769 in otrs2.
Previous by thread: Re: dla-needed.txt: Add note on CVE-2020-1769 in otrs2.
Next by thread: Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
Index(es):
- Date
- Thread