Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Potential security vulnerability #5374

Closed
SteveTalbot opened this issue Oct 28, 2013 · 4 comments
Closed

Potential security vulnerability #5374

SteveTalbot opened this issue Oct 28, 2013 · 4 comments
Milestone

Comments

@SteveTalbot
Copy link

Note: A fix now exists in both master and develop, and has been released with 2.2.5

The X-Forwarded-For header is a comma-separated list of IP
addresses, where the leftmost is the original client and the others
are successive proxies or load balancers. The address of the last
proxy is the apparent source IP address, in

`````` $_SERVER['REMOTE_ADDR']```.

In Zend\Http\PhpEnvironment\RemoteAddress, when $useProxy
is set to true, the getIpAddressFromProxy() function does not
check whether $_SERVER['REMOTE_ADDR'] is one of the trusted
proxies. Hence if the client is not behind a trusted proxy and spoofs
the X-Forwarded-For header, this function will return a spoofed
IP address.

This allows a session hijacking attack because of the way
Zend\Http\PhpEnvironment\RemoteAddress is used in the
Zend\Session\Validator\RemoteAddr session validator.

I think it would be safer to replace the start of the function as follows:


```
protected function getIpAddressFromProxy()
{
    if (!$this->useProxy || !in_array($_SERVER['REMOTE_ADDR'],
```

$this->trustedProxies)) {
            return false;
        }

So if the source IP address is not a trusted proxy,
getIpAddressFromProxy() would return false and
getIpAddress() function would return
$_SERVER['REMOTE_ADDR'], which I think is more desirable
behaviour.

@weierophinney
Copy link
Member

@SteveTalbot Please, never, never, never report potential security issues on a public tracker. Our README clearly details how to report security issues (tl;dr: email to [email protected]). In the meantime, I've removed the contents of the report until we can review and patch the issue.

@SteveTalbot
Copy link
Author

Apologies --- to avoid anyone else doing the same, it'd be helpful to add the zf-security e-mail address to https://github.com/zendframework/zf2/blob/master/CONTRIBUTING.md, which is linked from the "New Issue" page on GitHub.

@EvanDotPro
Copy link
Member

@SteveTalbot Definitely, we'll be updating the readme and contributing documents to make this as apparent as possible. Thank you.

@weierophinney
Copy link
Member

Patches have been reviewed, and I've applied in my local branch. I'll be pushing shortly, and will release with 2.2.5 later today.

weierophinney added a commit that referenced this issue Oct 31, 2013
Security fix for `Zend\Http\PhpEnvironment\RemoteAddress`.

Fixes #5374
weierophinney added a commit that referenced this issue Oct 31, 2013
Forward port #5374 (`RemoteAddress` security fix)

Conflicts:
	README.md
weierophinney added a commit that referenced this issue Oct 31, 2013
- trailing whitespace
weierophinney added a commit that referenced this issue Oct 31, 2013
- Ensured they were testing what they should, based on the changes to
  Zend\Http\PhpEnvironment\RemoteAddress
weierophinney added a commit that referenced this issue Oct 31, 2013
Fix CS and testing issues introduced by security fix for #5374
weierophinney added a commit that referenced this issue Oct 31, 2013
Forward-ports testing and CS fixes for #5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
Security fix for `Zend\Http\PhpEnvironment\RemoteAddress`.

Fixes zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
Forward port zendframework/zendframework#5374 (`RemoteAddress` security fix)

Conflicts:
	README.md
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
Fix CS and testing issues introduced by security fix for zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-http that referenced this issue May 15, 2015
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
…or tests

- Ensured they were testing what they should, based on the changes to
  Zend\Http\PhpEnvironment\RemoteAddress
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
Fix CS and testing issues introduced by security fix for zendframework/zendframework#5374
weierophinney added a commit to zendframework/zend-session that referenced this issue May 15, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants