83976 – www-proxy/squid: minor information disclosure: client IP address visible

Bug 83976 - www-proxy/squid: minor information disclosure: client IP address visible

Summary: www-proxy/squid: minor information disclosure: client IP address visible

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-03-03 10:25 UTC by Casper Gasper
Modified:	2005-03-08 08:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Casper Gasper 2005-03-03 10:25:15 UTC

The default squid.conf sets forwarded_for to on, allowing remote websites to see the local client's ip address.  Squid adds an "X-Forwarded-For: {Client IP}" header to each HTTP request.

Setting forwarded_for off by default would be nice.



Reproducible: Always
Steps to Reproduce:
1. Visit website that shows your local IP address, eg. http://www.grc.com/

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-03 10:36:15 UTC

www-proxy please advise.

Comment 2 Alin Năstac (RETIRED) gentoo-dev

2005-03-03 11:28:46 UTC

I've modified files/squid-2.5.9-gentoo.diff.

Though it is a pertinent request, I don't perceive this as a security problem. At most, it could be perceived as a privacy issue.

In my opinion, it should be marked as fixed.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-03-08 08:01:09 UTC

Marked as fixed, in squid-2.5.9