[RCD] IMAP ID Bug found in Roundcube 1.0.1 in rcube_imap.php

Reindl Harald h.reindl at thelounge.net
Fri Nov 7 13:33:22 CET 2014



Am 07.11.2014 um 13:12 schrieb Thomas Bruederli:
> On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>> Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:
>>>
>>> Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't
>>> reflect the client IP if your webserver is behind a reverse proxy or
>>> load balancer. There's rcube_utils::remote_addr() which extracts the
>>> real client IP from the headers such intermediate systems add to the
>>> request
>>
>> in a sane setup it does
>> http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
>>
>> rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not
>> trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" -
>> the important difference is that:
>
> You're certainly right about this but if you look at the
> implementation of remote_addr() you'll find that the X-Forwarded-For
> header is only considered if the request comes from a known proxy IP
> which can be set with the 'proxy_whitelist' config option. For those
> not using mod_remoteip, this should do the job.

please take a look at the mod_remoteip docs

can you assure that you handle the case where the HTTP header contains 
more than one IP strict enough and what are you doing if the proxy is 
using one of the AFAIK 3 possible HTTP headers and one of the remaining 
are present?

in that case and with "mod_remoteip" you only see the untrusted ones in 
the PHP layer and have no hint that the real one is already translated

so in a large environment that may lead in somebody fixes the HTTP setup 
because logging and other issues and configures 'mod_remoteip' and that 
maybe is not the same person who configured roundcube

also consider if the "mod_remoteip" logic/code turns out to contain a 
security relevant flow (that was indeed the case not so long ago) and 
get a fix this is applied to every single web application not dealing 
with that itself
__________________________________

Apache 2.4.8:

* mod_remoteip: Correct the trusted proxy match test. PR 54651
* mod_remoteip: Use the correct IP addresses to populate the proxy_ips field

docs are unchanged, but the implementation had an error

> However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available

please do so!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20141107/c04df8d6/attachment.sig>


More information about the dev mailing list