Drupal Reverse Proxy Header Improper Input Validation Vulnerability

A vulnerability exists in the Drupal Reverse Proxy Header module, specifically in versions prior to 1.1.2. The issue arises from improper validation of input consistency, allowing manipulation of user-controlled variables. When Drupal Core settings for reverse proxy are enabled, the module fails to handle all scenarios correctly. This flaw can be exploited to spoof the client's IP address as perceived by Drupal, potentially bypassing various controls.

Impact

Exploitation of this vulnerability could lead to an access bypass, allowing attackers to manipulate IP address information and potentially evade security measures that rely on accurate IP data.

Reproduction

To reproduce this vulnerability, ensure that the Drupal Reverse Proxy Header module is installed and activated, with the reverse proxy settings configured. Then, send a request from a non-trusted proxy or server, including a custom header that simulates an IP address. If Drupal logs the spoofed IP address instead of the actual one, the vulnerability is present.

Remediation

Users should upgrade to the latest version 1.1.2 of the Reverse Proxy Header module. After upgrading, verify the Drupal reverse proxy settings to ensure they are configured correctly. This includes checking the 'reverse_proxy' and 'reverse_proxy_addresses' settings in Drupal Core, as well as the 'reverse_proxy_header' and 'reverse_proxy_header_trusted_addresses_ignore' settings in the Reverse Proxy Header module.