Bug 65584

Summary: Disable resolution of X-forwarded-for
Product: Apache httpd-2 Reporter: v.truong
Component: mod_remoteipAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: major    
Priority: P2    
Version: 2.4.48   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: DNS in XFF header

Description v.truong 2021-09-20 11:03:05 UTC
Created attachment 38039 [details]
DNS in XFF header

It was possible during the penetration test to manipulate the application so that it performs a DNS resolution of our choice.
This vulnerability could possibly allow interaction with the internal servers of the application.
For more information, cf. : http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
Is there anyway to disable the DNS resolution of XFF header, or to allow only IP addresses in this header, or to implement a whitelist with which the application can communicate and block all other interactions?
Comment 1 Rainer Jung 2021-09-20 12:27:42 UTC
I guess this is related to

https://www.mail-archive.com/dev@httpd.apache.org/msg66312.html

where we discussed an attempt to solve it but stranded.
Comment 2 v.truong 2021-09-21 02:38:20 UTC
(In reply to Rainer Jung from comment #1)
> I guess this is related to
> 
> https://www.mail-archive.com/dev@httpd.apache.org/msg66312.html
> 
> where we discussed an attempt to solve it but stranded.

Yes, it is exactly what we are expecting.
It seems that we can't fix it at the moment.