IP Restriction Bypass and IP Smuggling (1 Comment)

Issue report by Joshua Gimer

Product

FileMaker Pro

Version

14.0.2.226

Operating system version

All

Description of the issue

It is possible to bypass IP restrictions when logging into the admin-console by supplying an X-Forwarded-For header with a different IP address. This also allows a remote user to smuggle any IP address they choose into the blacklist using this method, causing DoS.

Steps to reproduce the problem

Login to the admin-console multiple times from one source. Once the system has been added to the FileMaker Pro blocklist, intercept subsequent connections using a software based HTTP proxy (burp, zed, webscarab, paros, charles, etc.). Append an X-Forwareded-For header to all HTTP requests containing a different IP address than the one you originally connected with, you can now access the admin-console. If you supplied an address you wished to have blocked (causing DoS), you will need to append the X-Forwareded-For header with the target IP address and then attempt to login to the application causing lockout.

Expected result

The application should block access to hosts based off of the request object that is passed into the application, not via a user supplied field.

Actual result

DoS, IP restriction bypass

Exact text of any error message(s) that appear

None

Configuration information

None

Workaround

Pull IP address information from the request object that is created by the application when a new request comes in. Do not use user supplied values for blocking decisions.