tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Cannot set remote address in valve (Tomcat 5.5)
Date Thu, 08 Oct 2009 23:32:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cyrille,

On 10/8/2009 4:03 AM, Cyrille Le Clerc wrote:
>    I am afraid there may be a flaw in the algorythm looking for the
> first IP  of the coma delimited x-forwarded-for header without
> ensuring that this first IP has been set by a trusted proxy and not by
> the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing
> can easily be achieved with tools like Firefox add-ons Modify Headers
> (1) and X-Forwarded-For Spoofer (2) .

This is a good point that you've raised, here: it's a lot easier to
spoof an HTTP header than it is to spoof a source IP address in an IP
packet.

>    The forthcoming version of Apache Httpd will offer a secure
> mechanism to handle X-Forwarded-For with a module called mod_remoteip
> (3). It relies on the concept of trusted proxies which IP address can
> be 'swallowed'. The first IP of the list that is not a trusted proxy
> is seen as the real remote ip. mod_remoteip would not have been
> tricked by such x-forwarded-for header spoofing.

Uh.... huh? That seems counter-intuitive to trust the first untrusted IP
address you find. I'll read about mod_remoteip and see what it's all about.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrOdn0ACgkQ9CaO5/Lv0PBJtACggGynXG9+5aTVIntOzJ3rB4Ie
ZZ4AoLTmXelgtQEC6+udWuCSyQsqQnTc
=cYNl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message