ERPNext.com Frappe Cloud Support Partners Foundation

Get IP security bug?

I want to get the IP for the requested service. I can successfully get the ip by using frappe.local.request_ip .
But the ip can be changed by passing a header X-Forwarded-For: <dummy ip> .

This is the test that I did. I can add any value on that header and it will return that value. (The IP is the photo is just a dummy IP.)

UPDATE:
After looking at source code I see that frappe.get_request_header('X-Forwarded-For') is used to get the ip.

Now, when I call this without X-Forwarded-For it returns my real IP.

But if I pass X-Forwarded-For as a header it returns the dummy AND my real IP separated by comma where the Real IP is in the end.

I think this should be fixed IF frappe.get_request_header('X-Forwarded-For') returns the real IP in the end.

Any update on this because I think this is a serious security bug. It can bypass IP restriction.

Hi Aldo

If you have not done so best direct this to Frappe to inform them for review

https://erpnext.com/security/references

https://erpnext.com/security/report?new=1

https://erpnext.com/security

Thanks for sharing!

1 Like

Hi,

Could you try making the changes from this PR to your nginx configuration:

This basically makes NGINX set the IP address instead of letting the user define the IP through the request. This should help fix your issue.

2 Likes

I changed nginx config on /home/frappe/frappe-bench/config/nginx.conf and it is still the same.

Thank You. Reported.

Did you reload the NGINX service after doing so? It should work fine thereafter.

Excellent Chinmay is on the case -

I hope you Frappe folks are well @chinmaypai, I enjoyed Rushabh’s account of your team getaway trek in the mountains :slight_smile:

1 Like

We’re doing well, and we hope you are too :slight_smile:

1 Like