snicco

Taking the pain out of enterprise WordPress development

DOS through IP spoofing – (WPMU Defender <= 3.3.0)

Calvin Alkan

| in

Affected pluginWPMU Defender
Active installs70,000+
Vulnerable version<= 3.3.0
Audited version3.2.0
Fully patched version
Recommended remediationRemoval of the plugin

Description

The plugin is vulnerable to IP spoofing, which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.

Proof of concept

The plugin uses the “src/traits/ip.php::get_user_ip” method everywhere it needs access to the current request’s IP address.

public function get_user_ip() {
		// Check if it's any Cloudflare IP.
		$cf_ip = $this->cloudflare_ip();
		if ( ! empty( $cf_ip ) && filter_var( $cf_ip, FILTER_VALIDATE_IP ) ) {
			return apply_filters( 'defender_user_ip', $cf_ip );
		}

		$headers = array(
			'HTTP_CLIENT_IP',
			'HTTP_X_REAL_IP',
			'HTTP_X_FORWARDED_FOR',
			'HTTP_X_FORWARDED',
			'HTTP_X_CLUSTER_CLIENT_IP',
			'HTTP_FORWARDED_FOR',
			'HTTP_FORWARDED',
			'REMOTE_ADDR',
		);
		$ip = '';
		foreach ( $headers as $key ) {
			if ( array_key_exists( $key, $_SERVER ) && ! empty( $_SERVER[ $key ] ) ) {
				$ip_array = explode( ',', $_SERVER[ $key ] );
				$tmp_ip   = array_shift( $ip_array );
				$tmp_ip   = trim( $tmp_ip );
				if ( $this->check_validate_ip( $tmp_ip ) ) {
					$ip = $tmp_ip;
					break;
				}
			}
		}

		return apply_filters( 'defender_user_ip', $ip );
	}

This method blindly reads the IP address from HTTP headers, assuming they are always trustworthy, which is not the case as an attacker can set any HTTP header to arbitrary values.

A site is only safe from IP spoofing if all of the following conditions are true:

  • The site is using Cloudflare as its only reverse proxy. With internal reverse proxies like Cloudflare => Varnish ==> Nginx ==> PHP-fpm the site is vulnerable.
  • The site is not directly connectable by using something like Cloudflare’s authenticated origin pulls.
  • The web host does not automatically set the “REMOTE_ADDR” from the “CF-Connecting-IP”. (The web host should do this for WordPress to function properly)

In all other scenarios, the site is vulnerable to IP spoofing which an attacker can continuously exploit to ban search engine crawlers, the site’s reverse proxy, or legitimate users.

Proposed patch

The needed patch is described in great length in this article of us.

Summary: Only ever use REMOTE_ADDR to access to current IP.

Timeline

Vendor contactedSeptember 07, 2022
First ResponseSeptember 08, 2022
Fully patched at
Publicly disclosedApril 24, 2023

Miscellaneous

Leave a Reply

Your email address will not be published. Required fields are marked *