Re: [RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Fri, 07 Nov 2014 04:34:27 -0800 


Am 07.11.2014 um 13:12 schrieb Thomas Bruederli:

On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald <[email protected]> wrote:


Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:


Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't
reflect the client IP if your webserver is behind a reverse proxy or
load balancer. There's rcube_utils::remote_addr() which extracts the
real client IP from the headers such intermediate systems add to the
request


in a sane setup it does
http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not
trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" -
the important difference is that:


You're certainly right about this but if you look at the
implementation of remote_addr() you'll find that the X-Forwarded-For
header is only considered if the request comes from a known proxy IP
which can be set with the 'proxy_whitelist' config option. For those
not using mod_remoteip, this should do the job.


please take a look at the mod_remoteip docs


can you assure that you handle the case where the HTTP header contains 
more than one IP strict enough and what are you doing if the proxy is 
using one of the AFAIK 3 possible HTTP headers and one of the remaining 
are present?



in that case and with "mod_remoteip" you only see the untrusted ones in 
the PHP layer and have no hint that the real one is already translated



so in a large environment that may lead in somebody fixes the HTTP setup 
because logging and other issues and configures 'mod_remoteip' and that 
maybe is not the same person who configured roundcube



also consider if the "mod_remoteip" logic/code turns out to contain a 
security relevant flow (that was indeed the case not so long ago) and 
get a fix this is applied to every single web application not dealing 
with that itself

__________________________________

Apache 2.4.8:

* mod_remoteip: Correct the trusted proxy match test. PR 54651
* mod_remoteip: Use the correct IP addresses to populate the proxy_ips field

docs are unchanged, but the implementation had an error


However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available


please do so!




Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
























					Reply via email to