My last PCI audit is driving me crazy.
The last complaint I am getting from SecurityMetrics is about the X-Forwarded-For header on Usermin.
Exactly, the very severe bulnerability, copying from my results:
Title: Access restriction bypass via X-Forwarded-For
Impact: The X-Forwarded-For header is utilised by proxies and/or load balancers to track the originating IP address of the client. As the request progresses through a proxy, the X-Forwarded-For header is added to the existing headers, and the value of the client’s IP is then set within this header. Occasionally, poorly implemented access restrictions are based off of the originating IP address alone. For example, any public IP address may be forced to authenticate, while an internal IP address may not. Because this header can also be set by the client, it allows cyber- criminals to spoof their IP address and potentially gain access to restricted pages. SecurityMetrics discovered a resource that it did not have permission to access, but been granted access after spoofing the address of localhost (127.0.0.1), thus bypassing any requirement to authenticate.
Resolution: Remediation actions may be vastly different depending on the framework being used, and how the application has been coded. However, the X-Forwarded-For header should never be used to validate a client's access as it is trivial to change.
Risk Factor: High/ CVSS2 Base Score: 10.0
This is for port 20000, protocol TCP, and program https
I can’t find much information on google about what to do with this issue, and I am not an expert at all. If someone could enlighten me about this, I would be very grateful.
Many thanks and kind regards from Spain,