EmpireCMS IP Address Spoofing Vulnerability in Versions Through 8.0

A vulnerability allowing IP address spoofing has been identified in EmpireCMS versions through 8.0. This issue arises in the 'egetip' function within 'e/class/connect.php', part of the IP Address Handler component. The vulnerability occurs because the function gives priority to user-controlled HTTP headers, 'HTTP_CLIENT_IP' and 'HTTP_X_FORWARDED_FOR', over the more reliable 'REMOTE_ADDR' when determining the client's IP address. As a result, attackers can remotely manipulate IP address information, bypass IP-based access controls, and falsify IP records in security logs and databases.

Impact

Exploitation of this vulnerability can lead to unauthorized bypassing of IP-based login attempt limits, allowing for evasion of brute-force protection. Additionally, it can cause falsification of IP addresses in security and audit logs, complicating forensic investigations. The vulnerability also allows for bypassing IP whitelist or blacklist restrictions and evading IP-based rate limits.

Reproduction

To reproduce this vulnerability, first clear any existing login failure records. Then, send a login request to the EmpireCMS admin login page, using either the 'Client-IP' or 'X-Forwarded-For' header to spoof the IP address. After the login attempt, check the 'phome_enewsloginfail' database table to verify that the spoofed IP address was recorded instead of the actual client IP.

Remediation

No known mitigation is available for this vulnerability.