Vigil@nce - Zend Framework: spoofing client IP address
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the X-Forwarded-For header when connecting to
a server with Zend Framework, in order to spoof the IP address of
a legitimate client.
– Impacted products: Zend Framework
– Severity: 2/4
– Creation date: 04/11/2013
DESCRIPTION OF THE VULNERABILITY
The Zend Framework provides two classes to manage the IP address
of a client:
Zend\Http\PhpEnvironment\RemoteAddress
Zend\Session\Validator\RemoteAddr
The HTTP X-Forwarded-For header is used by proxies to indicate the
IP address of their client, because the $_SERVER[’REMOTE_ADDR’]
variable contains the IP address of the proxy.
However, an attacker (who is not behind a proxy) can add the
X-Forwarded-For header containing the IP address of a client
allowed by RemoteAddress or RemoteAddr.
An attacker can therefore use the X-Forwarded-For header when
connecting to a server with Zend Framework, in order to spoof the
IP address of a legitimate client.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Zend-Framework-spoofing-client-IP-address-13689