Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: bt1382.txt

possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI





	because of the difference in http server in handling IPv4 mapped
	address (IPv4 traffic goes into the system into AF_INET6 socket),
	the peer's address passed by $REMOTE_ADDR to CGI script can vary
	between the http server.
	some http server would pass IPv4 mapped address as is (::ffff:10.1.1.1),
	and some http server would pass IPv4 mapped address converted into
	IPv4 address (10.1.1.1).  this complexity could confuse CGI program
	writers and could open up vulnerability if CGI program uses
	$REMOTE_ADDR for authentication.

	solution: do not accept IPv4 traffic by using AF_INET6 socket.  use
	AF_INET socket (http server should listen to AF_INET and AF_INET6
	socket explicitly).  draft-cmetz-v6ops-v4mapped-api-harmful-01.txt
	talks more about this issue.

itojun


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH