Headline

GHSA-ghw3-5qvm-3mqc: CodeIgniter4 allows spoofing of IP address when using proxy

Impact

This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.

Patches

Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs.

Workarounds

Do not use $request->getIPAddress().

References

https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

2 years ago

ghsa

Open in Source

#vulnerability #git

CodeIgniter4 allows spoofing of IP address when using proxy

High severity GitHub Reviewed Published Dec 22, 2022 in codeigniter4/CodeIgniter4 • Updated Dec 22, 2022

CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a workaround, do not use `$request->getIPAddress()`.

2 years ago

CVE

Open in Source

#vulnerability #web #php