PbootCMS IP Address Spoofing Vulnerability in Header Component

A vulnerability allowing IP address spoofing has been identified in PbootCMS versions through 3.2.12. The issue arises in the 'get_user_ip' function within 'core/function/handle.php', part of the Header Handler component. This vulnerability allows remote attackers to manipulate the 'X-Forwarded-For' HTTP header, bypassing IP-based security measures such as login attempt restrictions and IP blacklists or whitelists.

Impact

Exploitation of this vulnerability allows attackers to spoof IP addresses, bypassing login attempt restrictions and IP-based access controls. This could lead to unauthorized access and manipulation of IP-based security logs.

Reproduction

To reproduce this vulnerability, send a request to the target server with a spoofed 'X-Forwarded-For' header. This can be done using a tool like cURL. First, verify that the server is accessible and not behind a properly configured reverse proxy. Then, send a request to the admin login endpoint with a spoofed IP address in the 'X-Forwarded-For' header. This will bypass the login lockout mechanism and allow unlimited login attempts.

Remediation

No specific mitigation is known for this vulnerability. However, it is recommended to add trusted proxy configurations or to use 'REMOTE_ADDR' for security-critical functions.