oss-sec mailing list archives
Re: CVE request(?): Thin: Client IP spoofing
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 22 Sep 2009 03:20:08 -0400 (EDT)
====================================================== Name: CVE-2009-3287 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3287 Reference: MLIST:[oss-security] 20090912 CVE request(?): Thin: Client IP spoofing Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/12/1 Reference: CONFIRM:http://github.com/macournoyer/thin/blob/master/CHANGELOG Reference: CONFIRM:http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X-Forwarded-For header to determine the IP address of the client, which allows remote attackers to spoof the IP address and hide activities via a modified X-Forwarded-For header.
Current thread:
- CVE request(?): Thin: Client IP spoofing Alex Legler (Sep 12)
- Re: CVE request(?): Thin: Client IP spoofing Steven M. Christey (Sep 22)