possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI

itojun_at_iijlab.net
Date: 10/29/03

  • Next message: Martin Schulze: "[SECURITY] [DSA 396-1] New thttpd packages fix information leak, DoS and arbitrary code execution"
    To: bugtraq@securityfocus.com
    Date: Wed, 29 Oct 2003 14:58:21 +0900
    
    

            because of the difference in http server in handling IPv4 mapped
            address (IPv4 traffic goes into the system into AF_INET6 socket),
            the peer's address passed by $REMOTE_ADDR to CGI script can vary
            between the http server.
            some http server would pass IPv4 mapped address as is (::ffff:10.1.1.1),
            and some http server would pass IPv4 mapped address converted into
            IPv4 address (10.1.1.1). this complexity could confuse CGI program
            writers and could open up vulnerability if CGI program uses
            $REMOTE_ADDR for authentication.

            solution: do not accept IPv4 traffic by using AF_INET6 socket. use
            AF_INET socket (http server should listen to AF_INET and AF_INET6
            socket explicitly). draft-cmetz-v6ops-v4mapped-api-harmful-01.txt
            talks more about this issue.

    itojun


  • Next message: Martin Schulze: "[SECURITY] [DSA 396-1] New thttpd packages fix information leak, DoS and arbitrary code execution"