More information regarding CVE-2024-47070

goauthentik / authentik

The authentication glue you need.

https://goauthentik.io

Other

13.47k stars 899 forks source link

More information regarding CVE-2024-47070 #11586

Closed tograss closed 1 month ago

tograss commented 1 month ago

In the "Am I affected" section you mention:

The reverse proxy configuration does not correctly overwrite X-Forwarded-For

What exactly is considered correctly overwritten? Am I affected when using the default apache/nginx settings ?

Since the default authentication flow uses a policy to enable the password stage only when there is no password stage selected on the Identification stage, this vulnerability can be used to skip this policy and continue without the password stage.

When I configured a password stage in the identification stage does that mean I'm not affected ?

BeryJu commented 1 month ago

In the "Am I affected" section you mention:

The reverse proxy configuration does not correctly overwrite X-Forwarded-For

What exactly is considered correctly overwritten? Am I affected when using the default apache/nginx settings ?

There are no default apache settings, you're not affected when using https://docs.goauthentik.io/docs/installation/reverse-proxy

Importantly, the reverse proxy must always set the X-Forwarded-For header and not only add it if it's missing.

Since the default authentication flow uses a policy to enable the password stage only when there is no password stage selected on the Identification stage, this vulnerability can be used to skip this policy and continue without the password stage.

When I configured a password stage in the identification stage does that mean I'm not affected ?

Correct, as then the separately bound password stage will not be run regardless.

tograss commented 1 month ago

Hi BerJu, Thanks for your answer.

There are no default apache settings

Sorry for not being clear. I wanted to clarify if the default behavior of the apache mod_proxy module is save. By default if a X-Forwarded-For Header is already set a comma separated list is passed . See https://httpd.apache.org/docs/current/mod/mod_proxy.html#page-header

tograss commented 1 month ago

I compared it with https://nginx.org/en/docs/http/ngx_http_proxy_module.html

$proxy_add_x_forwarded_for the “X-Forwarded-For” client request header field with the $remote_addr variable appended to it, separated by a comma. If the “X-Forwarded-For” field is not present in the client request header, the $proxy_add_x_forwarded_for variable is equal to the $remote_addr variable.

So the default from the apache mod_proxy module is the same as using proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;