Date: Sat, 12 Sep 2009 11:03:05 +0200 From: Alex Legler <a3li@...too.org> To: oss-security@...ts.openwall.com Subject: CVE request(?): Thin: Client IP spoofing Hey, we've stumbled upon a changelog entry in Thin , a ruby http server: > * Fix Remote address spoofing vulnerability in > Connection#remote_address [Alexey Borzenkov] Thin uses the X-Forwarded-For header (if it is provided) to determine the client's IP address. That could be used to facilitate spoofing. This is the commit: http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a Not sure if it warrants a CVE, if it does, please assign one. Thanks, Alex  http://code.macournoyer.com/thin/ Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ