oss-sec mailing list archives

Re: CVE request(?): Thin: Client IP spoofing

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 22 Sep 2009 03:20:08 -0400 (EDT)


======================================================
Name: CVE-2009-3287
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3287
Reference: MLIST:[oss-security] 20090912 CVE request(?): Thin: Client IP spoofing
Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/12/1
Reference: CONFIRM:http://github.com/macournoyer/thin/blob/master/CHANGELOG
Reference: CONFIRM:http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a

lib/thin/connection.rb in Thin web server before 1.2.4 relies on the
X-Forwarded-For header to determine the IP address of the client,
which allows remote attackers to spoof the IP address and hide
activities via a modified X-Forwarded-For header.

Current thread:

CVE request(?): Thin: Client IP spoofing Alex Legler (Sep 12)
- Re: CVE request(?): Thin: Client IP spoofing Steven M. Christey (Sep 22)