https://bz.apache.org/bugzilla/show_bug.cgi?id=65584
Bug ID: 65584
Summary: Disable resolution of X-forwarded-for
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_remoteip
Assignee: bugs@httpd.apache.org
Reporter: v.truong@linkbynet.com
Target Milestone: ---
Created attachment 38039
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38039&action=edit
DNS in XFF header
It was possible during the penetration test to manipulate the application so
that it performs a DNS resolution of our choice.
This vulnerability could possibly allow interaction with the internal servers
of the application.
For more information, cf. :
http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
Is there anyway to disable the DNS resolution of XFF header, or to allow only
IP addresses in this header, or to implement a whitelist with which the
application can communicate and block all other interactions?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 65584
Summary: Disable resolution of X-forwarded-for
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_remoteip
Assignee: bugs@httpd.apache.org
Reporter: v.truong@linkbynet.com
Target Milestone: ---
Created attachment 38039
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38039&action=edit
DNS in XFF header
It was possible during the penetration test to manipulate the application so
that it performs a DNS resolution of our choice.
This vulnerability could possibly allow interaction with the internal servers
of the application.
For more information, cf. :
http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
Is there anyway to disable the DNS resolution of XFF header, or to allow only
IP addresses in this header, or to implement a whitelist with which the
application can communicate and block all other interactions?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org