[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI

To: bugtraq@securityfocus.com
Subject: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI
From: itojun@iijlab.net
Date: Wed, 29 Oct 2003 14:58:21 +0900

        because of the difference in http server in handling IPv4 mapped
        address (IPv4 traffic goes into the system into AF_INET6 socket),
        the peer's address passed by $REMOTE_ADDR to CGI script can vary
        between the http server.
        some http server would pass IPv4 mapped address as is (::ffff:10.1.1.1),
        and some http server would pass IPv4 mapped address converted into
        IPv4 address (10.1.1.1).  this complexity could confuse CGI program
        writers and could open up vulnerability if CGI program uses
        $REMOTE_ADDR for authentication.

        solution: do not accept IPv4 traffic by using AF_INET6 socket.  use
        AF_INET socket (http server should listen to AF_INET and AF_INET6
        socket explicitly).  draft-cmetz-v6ops-v4mapped-api-harmful-01.txt
        talks more about this issue.

itojun

Follow-Ups:
- Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI
  - From: Colm MacCarthaigh <colmmacc@redbrick.dcu.ie>

Prev by Date: STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability
Next by Date: [SECURITY] [DSA 396-1] New thttpd packages fix information leak, DoS and arbitrary code execution
Previous by thread: STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability
Next by thread: Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI
Index(es):
- Date
- Thread