[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request(?): Thin: Client IP spoofing
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-09-22 7:20:08
Message-ID: Pine.GSO.4.51.0909220319500.16381 () faron ! mitre ! org
[Download RAW message or body]


======================================================
Name: CVE-2009-3287
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3287
Reference: MLIST:[oss-security] 20090912 CVE request(?): Thin: Client IP spoofing
Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/12/1
Reference: CONFIRM:http://github.com/macournoyer/thin/blob/master/CHANGELOG
Reference: CONFIRM:http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a

lib/thin/connection.rb in Thin web server before 1.2.4 relies on the
X-Forwarded-For header to determine the IP address of the client,
which allows remote attackers to spoof the IP address and hide
activities via a modified X-Forwarded-For header.


[prev in list] [next in list] [prev in thread] [next in thread]