Closed lubomudr closed 1 year ago
wargio
commented
1 year ago i think the issue should be solved by checking the actual trusted list of IPs. if you have 3 reverse proxy then you should be able to know which IPs it should be in the headers and block bad requests. The original feature has always been problematic, and i do agree on the issue you are raising.
lubomudr
commented
1 year ago This problem does not exist in NGINX It handles everything correctly
But NAXSI in its current implementation additionally tries to check the X-Forwarded-For header itself and, regardless of the settings of trusted hosts, passes requests if the header contains a value from IgnoreCIDR / IgnoreIP.
For example, in our organization, internal addresses are not checked by NAXSI. Specified IgnoreCIDR 192.168.0.0/16, 172.16.0.0/16 But now any packet from any host with X-Forfarded-For: 192.168.1.1 will be passed by NAXSI
wargio
commented
1 year ago Probably i'm still stuck with issues that afflicted very old versions of nginx.
wargio
commented
1 year ago I have made a special release due this security bug. i have requested a CVE at your name :) @lubomudr
https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x
lubomudr
commented
1 year ago Thank you I just haven't figured out what it is yet ;-)
wargio
commented
1 year ago
Hi
The special handling of X-Forwarded-For in runtime.c is a security hole and VERY DANGEROUS.
If the ngx_http_realip_module module configuration is enabled, the NGINX $remote_addr variable is replaced with X-Forwarded-For if (and only if) the IP packet came from any trusted host in set_real_ip_from. If the IP packet arrived from any other hosts or the ngx_http_realip_module module is not enabled, processing of the X-Forwarded-For header is ignored.
Handling of the X-Forwarded-For header must be completely transparent to NAXSI