Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-3361

Don't rely blind on X-Forwarded-For header

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't fix
    • Affects Version/s: 1.8.3
    • Fix Version/s: None
    • Component/s: Frontend (F)
    • Labels:

      Description

      This code is used in php frontend for audit purposes:

      $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];

      X-Forwarded-For header could be set by many untrusted parties, including remote user agent and remote http proxies. For example, I noticed this error because my squid cache has setting "forwarded_for off" and it sends header exactly as:

      X-Forwarded-For: unknown

      and I see IP: unknown in all audit logs.

      Right solution will be to add some configuration parameter like

      $REMOTE_IP_HEADER = "X-Forwarded-For";

      , commented by default.

      Some administrators prefer to use custom header in complex backend-frontend setups, so it's better to have ability to configure exact header name rather than just "use it? yes/no" setting.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            markspensser Mark
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: