Bug#734798: libapache2-mod-rpaf: failure to work with authz allow/deny

Thu, 09 Jan 2014 14:00:35 -0800 

Package: libapache2-mod-rpaf
Version: 0.6-7
Severity: important

Dear Maintainer,

  this is a follow up of bug #697644. I could reproduce the problem today on
two up-to-date Wheezys, and here are the instructions to encounter the bug.

  Setup a single default Apache vhost, which we thus may reach with any name.
Eg:

  <VirtualHost *:80>
    ServerName rpaf-bug

    DocumentRoot /var/www
    CustomLog /var/log/apache2/access.log combined

    <Location />
      Order deny,allow
      Deny from all
      Allow from 1.2.3.4
    </Location>
  </VirtualHost>

  ... where 1.2.3.4 is an IP address of your host. Then on this same host,
try :

  $ curl http://localhost/
  (denied with Apache default 403 page)
  $ curl http://1.2.3.4/
  (granted, serves /var/www/default/index.html happily)

  So everything's fine till there. Then install libapache2-mod-rpaf and keep
its default config (which trusts 127.0.0.1), and try :

  $ curl -H 'X-Forwarded-For: 1.2.3.4' http://localhost/
  (denied with Apache default 403 page)
  $ tail /var/log/apache2/access.log
  ...
  1.2.3.4 - - [09/Jan/2014:22:15:53 +0100] "GET / HTTP/1.1" 403 461 "-" 
"curl/7.26.0"

  ... where obviously mod_rpaf works fine (seeing the log) but auth is 
wrongfully denied.
CGIs also get 1.2.3.4 in REMOTE_ADDR. I made several tests, and it's clear that 
Apache
authz against the real client IP (127.0.0.1 above), and not the one in 
X-Forwarded-For.

  This problem bit me this afternoon with a serious security exposure while
migrating a site to a new server with the help of a reverse proxy. I think this
is a serious issue.

-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-rpaf depends on:
ii  apache2-mpm-worker [apache2-mpm]  2.2.22-13
ii  libc6                             2.13-38

libapache2-mod-rpaf recommends no packages.

libapache2-mod-rpaf suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to