Vulnerability Bulletins

MSA-20-0003: IP addresses can be spoofed using X-Forwarded-For


System information

   
Affected software PHP

Description

von Michael Hawkins. X-Forwarded-For headers could be used to spoof a users IP, in order to bypass remote address checks.PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "reverseproxyignore" setting. This ensures the IPs of the later proxies are ignored in favour of the users IP. Severity/Risk: Serious

More info:

https://moodle.org/mod/forum/discuss.php?d=398351&parent=1606855

Standar resources

Property Value
CVE CVE-2020-1755.

Version history

Version Comments Date
1.0 Advisory issued 2020-03-31
Ministerio de Defensa
CNI
CCN
CCN-CERT