Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 12 Sep 2009 11:03:05 +0200
From: Alex Legler <>
Subject: CVE request(?): Thin: Client IP spoofing


we've stumbled upon a changelog entry in Thin [1], a ruby http server:

>  * Fix Remote address spoofing vulnerability in
> Connection#remote_address [Alexey Borzenkov]

Thin uses the X-Forwarded-For header (if it is provided) to determine
the client's IP address. That could be used to facilitate spoofing.

This is the commit:

Not sure if it warrants a CVE, if it does, please assign one.



Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ