CVE-2020-35539 Wordpress 5.1 has a security flaw that leaks client IP address in X-Forwarded-For header.

In cases where these fields are used to track the source of inbound traffic such as e-commerce, this flaw could pose serious threats to the trust of the systems and the data being collected. E.g. when a hacker attempts to access a website via an in-bound attack and if X-Forwarded-For header is used to track the source of the request, then it would be possible to manipulate the data collected by changing the X-Forwarded-For header to some fraudulent server which could then be used to falsify the data or worse, used to perform a Denial of Service attack to the website. In the case where X-Forwarded-For is used by some client software to track the source of the request instead of the client's original IP address, then any application which uses this data for authorization checks would be vulnerable.

Summary of CVE-2020-35539

A vulnerability in X-Forwarded-For header allows attackers to change the source of an incoming request. This would then allow an attacker to spoof or remove traces of the original attack and do a Denial of Service (DoS) attack against the website.

How to get X-Forwarded-For header?

The X-Forwarded-For header is a HTTP header that contains the IP address of the server to which the request was forwarded by the client's web browser. This field can be used to determine if an inbound attack came from inside or outside a company's network. A hacker could use this to gain access to protected resources on a website.

In order for X-Forwarded-For headers to be useful, they need to be used properly. It's important that this header is not blindly trusted and instead should only be trusted when it has been verified as legitimate through other means such as SSL certificates.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 14:54:00 UTC

References