Bulwark Webmail X-Forwarded-For Header Trust Vulnerability Allowing Rate Limit Bypass and Audit Log Forgery

A vulnerability in Bulwark Webmail prior to version 1.4.11 allows for manipulation of the X-Forwarded-For header, which is fully client-controlled. The getClientIP() function in lib/admin/session.ts trusted the first entry of this header, enabling attackers to forge their source IP addresses. This could bypass IP-based rate limiting, facilitating brute-force attacks on the admin login, and allow the forgery of audit log entries, making malicious activities appear to originate from chosen IP addresses. All users of versions prior to 1.4.11 who utilized the admin interface with rate limiting or audit logging are affected.

Impact

Exploitation of this vulnerability could lead to a bypass of IP-based rate limits, allowing brute-force attacks on admin accounts. Additionally, it could enable the forgery of audit log entries, misrepresenting the source of malicious activities.

Remediation

Users are advised to upgrade to Bulwark Webmail version 1.4.11 or later. For those whose deployments are not exposed to untrusted networks, the vulnerability may not be practically relevant, but upgrading is still recommended.