Crystal Shard http-protection IP Spoofing Vulnerability Allowing Middleware Bypass

An IP spoofing vulnerability has been identified in Crystal Shard http-protection version 0.2.0. This vulnerability allows attackers to manipulate request headers and bypass protection middleware. By hardcoding consistent IP addresses in the X-Forwarded-For, X-Client-IP, and X-Real-IP headers, attackers can circumvent security checks and gain unauthorized access.

Impact

Exploitation of this vulnerability can lead to authentication bypass by spoofing, allowing unauthorized access to protected resources or functionalities.

Reproduction

To reproduce this vulnerability, intercept an HTTP request and manually set the X-Forwarded-For, X-Client-IP, and X-Real-IP headers to the same spoofed IP address. When the request is sent, the application should respond with a 200 OK status, indicating that the spoofing was successful and the middleware protection was bypassed.

Remediation

It is recommended to modify the IpSpoofing middleware to check the actual socket data for IP addresses instead of relying on the X-* headers. Alternatively, configure the proxy to ignore these headers and use the original source of the request.