IP Restriction Bypass and IP Smuggling
It is possible to bypass IP restrictions when logging into the admin-console by supplying an X-Forwarded-For header with a different IP address. This also allows a remote user to smuggle any IP address they choose into the blacklist using this method, causing DoS.
Login to the admin-console multiple times from one source. Once the system has been added to the FileMaker Pro blocklist, intercept subsequent connections using a software based HTTP proxy (burp, zed, webscarab, paros, charles, etc.). Append an X-Forwareded-For header to all HTTP requests containing a different IP address than the one you originally connected with, you can now access the admin-console. If you supplied an address you wished to have blocked (causing DoS), you will need to append the X-Forwareded-For header with the target IP address and then attempt to login to the application causing lockout.
The application should block access to hosts based off of the request object that is passed into the application, not via a user supplied field.
DoS, IP restriction bypass
Pull IP address information from the request object that is created by the application when a new request comes in. Do not use user supplied values for blocking decisions.
Thank you for your post.
I have sent your entire post to our Development and Testing departments for review. When I receive any feedback, I will let you know.