[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered



Package: apache2

Version: 2.4.10-10+deb8u16

Severity: grave

Tags: security

 

Dear Maintainer,

 

There is a bug in mod_remoteip (a part of Apache Web Server): https://bz.apache.org/bugzilla/show_bug.cgi?id=60251

Although the status of this bug is "NEW", actually it was fixed in Apache 2.4.24.

Although a CVE id was not requested yet, actually it is a vulnerability.

 

The fix was not backported to Debian 8 (jessie).

 

Impact: if a victim uses Apache rewrite rules, then an attacker can spoof his IP address for logs and PHP scripts.

 

--

Andrey Zelenchuk

Plesk | Security team

 


Reply to: