You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/09/20 11:03:05 UTC

[Bug 65584] New: Disable resolution of X-forwarded-for

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

            Bug ID: 65584
           Summary: Disable resolution of X-forwarded-for
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_remoteip
          Assignee: bugs@httpd.apache.org
          Reporter: v.truong@linkbynet.com
  Target Milestone: ---

Created attachment 38039
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38039&action=edit
DNS in XFF header

It was possible during the penetration test to manipulate the application so
that it performs a DNS resolution of our choice.
This vulnerability could possibly allow interaction with the internal servers
of the application.
For more information, cf. :
http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
Is there anyway to disable the DNS resolution of XFF header, or to allow only
IP addresses in this header, or to implement a whitelist with which the
application can communicate and block all other interactions?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

Srivathshan MHRIL <sr...@mahindraholidays.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |srivathshan.k814@mahindraho
                   |                            |lidays.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

--- Comment #1 from Rainer Jung <ra...@kippdata.de> ---
I guess this is related to

https://www.mail-archive.com/dev@httpd.apache.org/msg66312.html

where we discussed an attempt to solve it but stranded.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

Srivathshan MHRIL <sr...@mahindraholidays.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|srivathshan.k814@mahindraho |
                   |lidays.com                  |

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

--- Comment #2 from v.truong@linkbynet.com ---
(In reply to Rainer Jung from comment #1)
> I guess this is related to
> 
> https://www.mail-archive.com/dev@httpd.apache.org/msg66312.html
> 
> where we discussed an attempt to solve it but stranded.

Yes, it is exactly what we are expecting.
It seems that we can't fix it at the moment.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

v.truong@linkbynet.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.5-HEAD                    |2.4.48

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65584] Disable resolution of X-forwarded-for

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65584

JS <jo...@adobe.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.4.48                      |2.4.52

--- Comment #3 from JS <jo...@adobe.com> ---
I've recently discovered this across various hosts running hpptd between 2.4.6
and 2.4.52. While not causing major issues at this time, it does turn up as an
SSRF vulnerability we are unable to resolve on pentests, and there is the
heightened possibility of successful DoS attacks due to the extra overhead
while httpd issues and waits for a response to the DNS request (particularly if
the DNS requests are slow to return for whatever reason, thus holding a thread
hostage while it waits to resolve).

The expected functionality is that if HostnameLookups is set to "Off" (which it
is by default), there wouldn't be any backend DNS requests regardless. Is there
going to be a fix for this at any point?

If a fix is not going to be provided, the documentation for HostnameLookups
should be updated at the very least to point out that the expected behavior
does not apply when using mod_remoteip and the RemoteIpHeader directive:
https://httpd.apache.org/docs/2.4/mod/core.html#hostnamelookups I note the
documentation does already reference an exception to the HostnameLookups
behavior when using mod_authz_host, so it would make sense to spell out the
exception for this as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org