-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrille,
On 10/8/2009 4:03 AM, Cyrille Le Clerc wrote: > I am afraid there may be a flaw in the algorythm looking for the > first IP of the coma delimited x-forwarded-for header without > ensuring that this first IP has been set by a trusted proxy and not by > the requester ( getFirstIP(xforwardedForHeaderValue) ). Such spoofing > can easily be achieved with tools like Firefox add-ons Modify Headers > (1) and X-Forwarded-For Spoofer (2) . This is a good point that you've raised, here: it's a lot easier to spoof an HTTP header than it is to spoof a source IP address in an IP packet. > The forthcoming version of Apache Httpd will offer a secure > mechanism to handle X-Forwarded-For with a module called mod_remoteip > (3). It relies on the concept of trusted proxies which IP address can > be 'swallowed'. The first IP of the list that is not a trusted proxy > is seen as the real remote ip. mod_remoteip would not have been > tricked by such x-forwarded-for header spoofing. Uh.... huh? That seems counter-intuitive to trust the first untrusted IP address you find. I'll read about mod_remoteip and see what it's all about. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrOdn0ACgkQ9CaO5/Lv0PBJtACggGynXG9+5aTVIntOzJ3rB4Ie ZZ4AoLTmXelgtQEC6+udWuCSyQsqQnTc =cYNl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
