Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Potential security vulnerability #5374

Closed
SteveTalbot opened this issue Oct 28, 2013 · 4 comments
Closed

Potential security vulnerability #5374

SteveTalbot opened this issue Oct 28, 2013 · 4 comments
Milestone
2.2.5

Comments

@SteveTalbot
Copy link

Note: A fix now exists in both master and develop, and has been released with 2.2.5

The X-Forwarded-For header is a comma-separated list of IP
addresses, where the leftmost is the original client and the others
are successive proxies or load balancers. The address of the last
proxy is the apparent source IP address, in

`````` $_SERVER['REMOTE_ADDR']```.

In Zend\Http\PhpEnvironment\RemoteAddress, when $useProxy
is set to true, the getIpAddressFromProxy() function does not
check whether $_SERVER['REMOTE_ADDR'] is one of the trusted
proxies. Hence if the client is not behind a trusted proxy and spoofs
the X-Forwarded-For header, this function will return a spoofed
IP address.

This allows a session hijacking attack because of the way
Zend\Http\PhpEnvironment\RemoteAddress is used in the
Zend\Session\Validator\RemoteAddr session validator.

I think it would be safer to replace the start of the function as follows:


```
protected function getIpAddressFromProxy()
{
    if (!$this->useProxy || !in_array($_SERVER['REMOTE_ADDR'],
```

$this->trustedProxies)) {
            return false;
        }

So if the source IP address is not a trusted proxy,
getIpAddressFromProxy() would return false and
getIpAddress() function would return
$_SERVER['REMOTE_ADDR'], which I think is more desirable
behaviour.
@weierophinney
Copy link
Member

@SteveTalbot Please, never, never, never report potential security issues on a public tracker. Our README clearly details how to report security issues (tl;dr: email to [email protected]). In the meantime, I've removed the contents of the report until we can review and patch the issue.

@SteveTalbot
Copy link
Author

Apologies --- to avoid anyone else doing the same, it'd be helpful to add the zf-security e-mail address to https://github.com/zendframework/zf2/blob/master/CONTRIBUTING.md, which is linked from the "New Issue" page on GitHub.

@EvanDotPro
Copy link
Member

@SteveTalbot Definitely, we'll be updating the readme and contributing documents to make this as apparent as possible. Thank you.

@weierophinney
Copy link
Member

Patches have been reviewed, and I've applied in my local branch. I'll be pushing shortly, and will release with 2.2.5 later today.

weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
Merge branch 'security/remote-address'
bb67844 
Security fix for `Zend\Http\PhpEnvironment\RemoteAddress`.

Fixes #5374
weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
Merge branch 'security/remote-address' into develop
87b0221 
Forward port #5374 (`RemoteAddress` security fix)

Conflicts:
	README.md
weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
[#5374] Fix CS issues
cc70802 
- trailing whitespace
weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
[#5374] Updated RemoteAddr session validator tests
433c2de 
- Ensured they were testing what they should, based on the changes to
  Zend\Http\PhpEnvironment\RemoteAddress
weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
Merge branch 'hotfix/5374-cleanup'
efe1143 
Fix CS and testing issues introduced by security fix for #5374
weierophinney added a commit that referenced this issue Oct 31, 2013
@weierophinney
Merge branch 'hotfix/5374-cleanup' into develop
deffbe2 
Forward-ports testing and CS fixes for #5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
@weierophinney
Merge branch 'security/remote-address'
b653ea9 
Security fix for `Zend\Http\PhpEnvironment\RemoteAddress`.

Fixes zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
@weierophinney
Merge branch 'security/remote-address' into develop
fa17926 
Forward port zendframework/zendframework#5374 (`RemoteAddress` security fix)

Conflicts:
	README.md
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
@weierophinney
[zendframework/zendframework#5374] Fix CS issues
2dd4cc5 
- trailing whitespace
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
@weierophinney
Merge branch 'hotfix/5374-cleanup'
ac0446b 
Fix CS and testing issues introduced by security fix for zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
@weierophinney
Merge branch 'hotfix/5374-cleanup' into develop
f8c3502 
Forward-ports testing and CS fixes for zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
@weierophinney
[zendframework/zendframework#5374] Updated RemoteAddr session validat…
b778a0c 
…or tests

- Ensured they were testing what they should, based on the changes to
  Zend\Http\PhpEnvironment\RemoteAddress
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
@weierophinney
Merge branch 'hotfix/5374-cleanup'
4d8e4f7 
Fix CS and testing issues introduced by security fix for zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
@weierophinney
Merge branch 'hotfix/5374-cleanup' into develop
5ed4ac8 
Forward-ports testing and CS fixes for zendframework/zendframework#5374
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.5
Development

No branches or pull requests
3 participants
@EvanDotPro @weierophinney @SteveTalbot