possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI
itojun_at_iijlab.net
Date: 10/29/03
- Previous message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability"
- Next in thread: Colm MacCarthaigh: "Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI"
- Reply: Colm MacCarthaigh: "Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Wed, 29 Oct 2003 14:58:21 +0900
because of the difference in http server in handling IPv4 mapped
address (IPv4 traffic goes into the system into AF_INET6 socket),
the peer's address passed by $REMOTE_ADDR to CGI script can vary
between the http server.
some http server would pass IPv4 mapped address as is (::ffff:10.1.1.1),
and some http server would pass IPv4 mapped address converted into
IPv4 address (10.1.1.1). this complexity could confuse CGI program
writers and could open up vulnerability if CGI program uses
$REMOTE_ADDR for authentication.
solution: do not accept IPv4 traffic by using AF_INET6 socket. use
AF_INET socket (http server should listen to AF_INET and AF_INET6
socket explicitly). draft-cmetz-v6ops-v4mapped-api-harmful-01.txt
talks more about this issue.
itojun
- Previous message: advisory_at_stgsecurity.com: "STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability"
- Next in thread: Colm MacCarthaigh: "Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI"
- Reply: Colm MacCarthaigh: "Re: possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
