Headline
CVE-2023-50463: Security: trust_header overwrites req.RemoteAddr globally · Issue #4 · shift72/caddy-geo-ip
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
When trust_header is configured, req.RemoteAddr is overwritten. This allows spoofing the remote address in following checks.
In the example the {remote_host} variable is changed.
geo_ip {
db_path /var/lib/GeoIP/GeoLite2-City.mmdb
trust_header X-Forwarded-For
}
respond /test 200 {
body "Remote Address:{remote_host}"
}
This allows bypassing IP range restrictions, bypassing the trusted_proxy directive in reverse_proxy and any other restrictions or checks that use req.RemoteAddr.
Related news
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).