> As a workaround, you should avoid using x-forwarded-for header from > untrusted sources. Usually, it is the case - you can trust your frontend > servers ;) > > That means - real impact of this issue is very minor and mostly due to > misconfiguration.
Excuse me ? This is definitely _not_ a misconfiguration issue. mod_rpaf is supposed to use the *last* X-Forwarded-For header. There's a bug which adds some garbage to the remote_ip field, when a specific request is sent, and a *correct* X-Forwarded-For header added by the reverse proxy. (so the request has two X-Forwarded-For headers when it arrives on the web front end, one is malicious, one is correct from a trusted source). A workaround could be stripping the previous X-Forwarded-For headers on the reverse proxy, but it shouldn't be necessary. Real impact of this issue can be remote DOS of a LAMP cluster. What makes you feel that this issue is "very minor" ? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
