oss-sec mailing list archives
CVE request(?): Thin: Client IP spoofing
From: Alex Legler <a3li () gentoo org>
Date: Sat, 12 Sep 2009 11:03:05 +0200
Hey, we've stumbled upon a changelog entry in Thin [1], a ruby http server:
* Fix Remote address spoofing vulnerability in Connection#remote_address [Alexey Borzenkov]
Thin uses the X-Forwarded-For header (if it is provided) to determine the client's IP address. That could be used to facilitate spoofing. This is the commit: http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a Not sure if it warrants a CVE, if it does, please assign one. Thanks, Alex [1] http://code.macournoyer.com/thin/
Attachment:
signature.asc
Description:
Current thread:
- CVE request(?): Thin: Client IP spoofing Alex Legler (Sep 12)
- Re: CVE request(?): Thin: Client IP spoofing Steven M. Christey (Sep 22)