Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-3361

Don't rely blind on X-Forwarded-For header

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Won't fix
    • Icon: Minor Minor
    • None
    • 1.8.3
    • Frontend (F)

      This code is used in php frontend for audit purposes:

      $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];

      X-Forwarded-For header could be set by many untrusted parties, including remote user agent and remote http proxies. For example, I noticed this error because my squid cache has setting "forwarded_for off" and it sends header exactly as:

      X-Forwarded-For: unknown

      and I see IP: unknown in all audit logs.

      Right solution will be to add some configuration parameter like

      $REMOTE_IP_HEADER = "X-Forwarded-For";

      , commented by default.

      Some administrators prefer to use custom header in complex backend-frontend setups, so it's better to have ability to configure exact header name rather than just "use it? yes/no" setting.

            Unassigned Unassigned
            markspensser Mark
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: