IP Restriction Bypass and IP Smuggling
Operating system version
Description of the issue
It is possible to bypass IP restrictions when logging into the admin-console by supplying an X-Forwarded-For header with a different IP address. This also allows a remote user to smuggle any IP address they choose into the blacklist using this method, causing DoS.
Steps to reproduce the problem
Login to the admin-console multiple times from one source. Once the system has been added to the FileMaker Pro blocklist, intercept subsequent connections using a software based HTTP proxy (burp, zed, webscarab, paros, charles, etc.). Append an X-Forwareded-For header to all HTTP requests containing a different IP address than the one you originally connected with, you can now access the admin-console. If you supplied an address you wished to have blocked (causing DoS), you will need to append the X-Forwareded-For header with the target IP address and then attempt to login to the application causing lockout.
The application should block access to hosts based off of the request object that is passed into the application, not via a user supplied field.
DoS, IP restriction bypass
Exact text of any error message(s) that appear
Pull IP address information from the request object that is created by the application when a new request comes in. Do not use user supplied values for blocking decisions.