Hi, I've realized of a small vulnerability in Pound: I've made a spoofed HTTP request adding a "X-Forwarded-For: 1.2.3.4" header and sent it to Paund. When Pound receives it, it adds a new "X-Forwarded-For: SOURCE_IP" but the added header is at the bottom of the request:
The request arriving to Pound: T 2009/09/12 21:49:44.271221 87.218.216.202:52448 -> 99.122.79.215:9080 [AP] GET /xcap-root/pres-rules/users/i...@qwe/presrules HTTP/1.1 Content-Length: 0 X-Forwarded-For: 1.2.3.4 The request forwarded by Pound to the web server: T 2009/09/12 21:49:44.271452 127.0.0.1:36734 -> 127.0.0.1:80 [AP] GET /xcap-root/pres-rules/users/i...@qwe/presrules HTTP/1.1 Content-Length: 0 X-Forwarded-For: 1.2.3.4 X-Forwarded-For: 87.218.216.202 Most of the web servers I know just inspect the top-most header, so when inspecting "X-Forwarded-For" they would get "1.2.3.4" instead of "SOURCE_IP". In my case I'm developing a XCAP server (RFC 4825) and my aim is using Pound in front of a cluster of web XCAP servers. A XCAP server must require Digest authentication depending on the URL but it doesn't ask for authentication if the request comes from a trusted IP. Being behind a http proxy the only way to know the source IP is by inspecting the "X-Forwarded-For" value. However, the client could spoof it as I describe above. A workaround would be using "HeadRemove" but I think that Pound should do it by default (remove all the "X-Forwarded-For" headers present in the original request). Regards. -- Iñaki Baz Castillo <i...@aliax.net> -- To unsubscribe send an email with subject unsubscribe to po...@apsis.ch. Please contact ro...@apsis.ch for questions.
