I had a recent client bug bounty where the attacke...
# luceej
jakobward
06/21/2022, 6:13 PMI had a recent client bug bounty where the attacker spoofed the X-Forwarded-For header with 127.0.0.1 and was able to view the Lucee debugging info ( queries, paths, etc… ) on a website ( IIS ). Lucee is running on CommandBox in production mode. Can anything be done to prevent this? It would be nice to allow debugging from an IP/MAC address combo ( at least for localhost ). That seems more secure. I realize MAC addresses are not accessible in headers or CGI vars, but if localhost requests and responses could be validated by CommandBox or Lucee, it would seem possible. Something like the TomCat secret but for requests and not the connector. ( I just disabled all debugging to resolve the issue and will only use my remote ip as needed ).
b
bdw429s
06/21/2022, 6:15 PM@jakobward The latest version of CommandBOx disables use of the proxy peer address header by default
bdw429s
06/21/2022, 6:15 PMWhat version of CommandBox are you on?
bdw429s
06/21/2022, 6:15 PMyou'll want 5.5.2
bdw429s
06/21/2022, 6:15 PMYou can re-enable it only if your server is behind a proxy which always sets a trusted forwarded for header
j
jakobward
06/21/2022, 6:15 PMCool! This server does need an update, I will recommend it.
b
bdw429s
06/21/2022, 6:16 PMThere is no other workaround for this however.
bdw429s
06/21/2022, 6:16 PMIf you trust the proxy in front of you, then you can use the header reliably, of you don't trust the proxy in front of you, then you can't trust the header!
bdw429s
06/21/2022, 6:17 PMThat said, even though CommandBox won't use that header by default to change the
cgij
jakobward
06/21/2022, 6:17 PMDig it. I have an Apache server which is behind a CloudFlare proxy and I HAD to use the X-Forwarded-For header to get the original remote IP. I guess I have some further investigating to do.
b
bdw429s
06/21/2022, 6:18 PMbdw429s
06/21/2022, 6:18 PMSo in theory, both cloudflare's proxy and Apache's proxy can be setting that HTTP header
👍🏻 1
bdw429s
06/21/2022, 6:19 PMThe question is whether either (or both of them) will always set their own header, removing any previously set headers from upstream
bdw429s
06/21/2022, 6:19 PMWhat I've generally seen is a proxy will set their own header so even if malicious user with postman sets a fake forwarded-for header, the proxy will ignore it
bdw429s
06/21/2022, 6:19 PMbut as always, you'll have to check through the docs for those proxies and test to see how they handle
bdw429s
06/21/2022, 6:20 PMIt should be easy to re-create the fake header with a postman request
j
jakobward
06/21/2022, 6:20 PMYes, I saw that in use. Will do. Thanks!
5 Views