[IT-SecNots] [Security-news] Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-111

Project: Reverse Proxy Header [1]
Date: 2025-September-24
Security risk: *Less critical* 8 ∕ 25
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.1.2
CVE IDs: CVE-2025-10929
Description: 
This module allows you to specify an HTTP header name to determine the
client's IP address.

The module doesn't sufficiently handle all cases under the scenario if Drupal
Core settings $settings['reverse_proxy'] is set to TRUE and
$settings['reverse_proxy_addresses'] is configured.

This vulnerability allows an attacker to spoof a request IP address (as
Drupal sees it), potentially bypassing a variety of controls.

Solution: 
To resolve this issue, sites must both upgrade and confirm their settings.

Install the latest 1.1.2 version. [3]

Check your settings:
- $settings['reverse_proxy'] (Drupal Core setting);
- $settings['reverse_proxy_addresses'] (Drupal Core setting);
- $settings['reverse_proxy_header'] (this module setting);
- $settings['reverse_proxy_header_trusted_addresses_ignore'] (this module
setting introduced in this release).

This security release does not affect your Drupal instance if:
- or $settings['reverse_proxy'] is not set or set to FALSE;
- or $settings['reverse_proxy_header'] is not set or set to FALSE;
- or $settings['reverse_proxy_addresses'] is not set or set to an empty
array.

This security release may affect your Drupal instance if:
- and $settings['reverse_proxy'] is set to TRUE;
- and $settings['reverse_proxy_header'] is set;
- and $settings['reverse_proxy_addresses'] is configured.
If your configuration meets all three criteria simultaneously, you need to
verify how Drupal determines the client IP address.

*How to verify:*

It can be checked by sending a request from a non-trusted proxy/server like:
curl -I -H "X-REVERSE-PROXY-HEADER-NAME:8.8.8.8" your-hostname/some-path`

If Drupal detects the client IP address (for example, at the dblog report),
everything works as expected.

If Drupal detects the client IP address as 8.8.8.8, you may need to check
your $settings['reverse_proxy_addresses'] and/or review the documentation in
the README file about
$settings['reverse_proxy_header_trusted_addresses_ignore'].

*Reccomendation:*

Although it is not required to have $settings['reverse_proxy_addresses']
(Drupal Core setting) configured, it's always preferred to do so to improve
security.

Reported By: 
 * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
   Team

Fixed By: 
 * Bohdan Artemchuk (bohart) [5]
 * Drew Webber (mcdruid) [6] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security
   Team

Coordinated By: 
 * Greg Knaddison (greggles) [8] of the Drupal Security Team
 * Juraj Nemec (poker10) [9] of the Drupal Security Team
 * Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security
   Team

------------------------------------------------------------------------------
Contribution record [11]

[1] https://www.drupal.org/project/reverse_proxy_header
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/reverse_proxy_header/releases/1.1.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/bohart
[6] https://www.drupal.org/u/mcdruid
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/prudloff
[11]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3548500

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news