Haproxy vulnerability: IP spoof via X-Forwarded-For forgery.

You are here:
Estimated reading time: < 1 min

Description

Suppose an IP-based access control solution is implemented in your web server (back-end server). In that case, the Haproxy used by BitNinja’s SslTerminating module can be exploited to push an arbitrary IP address to the backend webserver behind our WAF module, thus bypassing the aforementioned IP-based policy.

Does NOT affect BitNinja’s IPFilter

The issue does not affect BitNinja’s protection in any way, and it is also not a BitNinja-specific vulnerability. As it is not a BitNinja-specific vulnerability, and the same issue can be reproduced in other environments, there is no way to block this X-Forwarded-For header forgery.

Solution

We suggest adding the proxies you see as secure to our Trusted proxy list.
To do this, you will need to enable the TrustedProxy module.
You can enable the module and add the IP addresses from the Firewall → Trusted Proxies menu.

Also, if you have your blocklist, we suggest adding the IP addresses to BitNinja’s blockist.
And this should resolve the issue you are having.

Was this article helpful?
It was not helpful
Views: 161