Date: Tue, 22 Sep 2009 03:20:08 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request(?): Thin: Client IP spoofing ====================================================== Name: CVE-2009-3287 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3287 Reference: MLIST:[oss-security] 20090912 CVE request(?): Thin: Client IP spoofing Reference: URL:http://www.openwall.com/lists/oss-security/2009/09/12/1 Reference: CONFIRM:http://github.com/macournoyer/thin/blob/master/CHANGELOG Reference: CONFIRM:http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a lib/thin/connection.rb in Thin web server before 1.2.4 relies on the X-Forwarded-For header to determine the IP address of the client, which allows remote attackers to spoof the IP address and hide activities via a modified X-Forwarded-For header.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.