|Summary:||Disable resolution of X-forwarded-for|
|Component:||mod_remoteip||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||DNS in XFF header|
Description v.truong 2021-09-20 11:03:05 UTC
Created attachment 38039 [details] DNS in XFF header It was possible during the penetration test to manipulate the application so that it performs a DNS resolution of our choice. This vulnerability could possibly allow interaction with the internal servers of the application. For more information, cf. : http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html Is there anyway to disable the DNS resolution of XFF header, or to allow only IP addresses in this header, or to implement a whitelist with which the application can communicate and block all other interactions?
Comment 1 Rainer Jung 2021-09-20 12:27:42 UTC
I guess this is related to https://email@example.com/msg66312.html where we discussed an attempt to solve it but stranded.
Comment 2 v.truong 2021-09-21 02:38:20 UTC
(In reply to Rainer Jung from comment #1) > I guess this is related to > > https://firstname.lastname@example.org/msg66312.html > > where we discussed an attempt to solve it but stranded. Yes, it is exactly what we are expecting. It seems that we can't fix it at the moment.