1 Reply Latest reply on Jul 30, 2015 8:53 AM by TSGal

    IP Restriction Bypass and IP Smuggling

    JoshuaGimer

      Summary

      IP Restriction Bypass and IP Smuggling

      Product

      FileMaker Pro

      Version

      14.0.2.226

      Operating system version

      All

      Description of the issue

      It is possible to bypass IP restrictions when logging into the admin-console by supplying an X-Forwarded-For header with a different IP address. This also allows a remote user to smuggle any IP address they choose into the blacklist using this method, causing DoS.

      Steps to reproduce the problem

      Login to the admin-console multiple times from one source. Once the system has been added to the FileMaker Pro blocklist, intercept subsequent connections using a software based HTTP proxy  (burp, zed, webscarab, paros, charles, etc.). Append an X-Forwareded-For header to all HTTP requests containing a different IP address than the one you originally connected with, you can now access the admin-console. If you supplied an address you wished to have blocked (causing DoS), you will need to append the X-Forwareded-For header with the target IP address and then attempt to login to the application causing lockout.

      Expected result

      The application should block access to hosts based off of the request object that is passed into the application, not via a user supplied field.

      Actual result

      DoS, IP restriction bypass

      Exact text of any error message(s) that appear

      None

      Configuration information

      None

      Workaround

      Pull IP address information from the request object that is created by the application when a new request comes in. Do not use user supplied values for blocking decisions.