[ZBX-3361] Don't rely blind on X-Forwarded-For header Created: 2011 Jan 01 Updated: 2019 Aug 28 Resolved: 2019 Aug 28 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 1.8.3 |
| Fix Version/s: | None |
| Type: | Incident report | Priority: | Minor |
| Reporter: | Mark | Assignee: | Unassigned |
| Resolution: | Won't fix | Votes: | 0 |
| Labels: | audit, headers, http | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
This code is used in php frontend for audit purposes: $ip = (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && !empty($_SERVER['HTTP_X_FORWARDED_FOR']))?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR']; X-Forwarded-For header could be set by many untrusted parties, including remote user agent and remote http proxies. For example, I noticed this error because my squid cache has setting "forwarded_for off" and it sends header exactly as: X-Forwarded-For: unknown and I see IP: unknown in all audit logs. Right solution will be to add some configuration parameter like $REMOTE_IP_HEADER = "X-Forwarded-For"; , commented by default. Some administrators prefer to use custom header in complex backend-frontend setups, so it's better to have ability to configure exact header name rather than just "use it? yes/no" setting. |
| Comments |
| Comment by richlv [ 2011 Jan 02 ] |
|
a better approach would be to record & display both X-Forwarded-For and remote address |
| Comment by Mark [ 2011 Jan 02 ] |
|
Agreed. This way we don't introduce additional setting. Custom header names are usually used in cheap and kludge load balancing solutions, this is very rare case. Please don't forget that X-Forwarded-For header could be long enough. For example, two or three chained IPs there is an usual thing there. Also there could be even some unexpected trash like full ppp domain name. |
| Comment by Vladislavs Boborikins (Inactive) [ 2019 Aug 28 ] |
|
Hello, Since this version of Zabbix is no longer supported, we've decided not to prioritize this bug for the near future and close the issue with "Won't fix" resolution. Please let us know if this decision should be reconsidered. Regards |