summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2010-07-09 09:19:03 -0400
committerjim-p <jimp@pfsense.org>2010-07-09 09:19:03 -0400
commitf17f9f2891b459e3f119ced5857469b96c57dde9 (patch)
tree4adfdb5e850a275fa741f3836a1330d23faaec04
parent35c9cd4463738ebfc07aa6099ebb8bd54e10434b (diff)
downloadpfsense-f17f9f2891b459e3f119ced5857469b96c57dde9.zip
pfsense-f17f9f2891b459e3f119ced5857469b96c57dde9.tar.gz
Bypass the DNS Rebind attack checks if accessing by IP address.
-rw-r--r--etc/inc/auth.inc18
1 files changed, 2 insertions, 16 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index d0b261a..504b241 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -60,8 +60,8 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
} else {
$http_host = $_SERVER['HTTP_HOST'];
}
- if(($http_host == "localhost" or $_SERVER['SERVER_ADDR'] == "localhost") or
- ($http_host == "127.0.0.1" or $_SERVER['SERVER_ADDR'] == "127.0.0.1"))
+ if(is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or
+ $http_host == "localhost" or $_SERVER['SERVER_ADDR'] == "localhost")
$found_host = true;
if($config['dyndnses']['dyndns'])
foreach($config['dyndnses']['dyndns'] as $dyndns)
@@ -80,20 +80,6 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
$http_host == $config['system']['hostname'])
$found_host = true;
- /* Check against locally configured IP addresses, which will catch when someone
- port forwards WebGUI access from WAN to an internal IP on the router. */
- if ($found_host == false) {
- global $FilterIflist;
- if (empty($FilterIflist)) {
- require_once('filter.inc');
- require_once('shaper.inc');
- filter_generate_optcfg_array();
- }
- foreach ($FilterIflist as $iflist)
- if($iflist['ip'] == $http_host)
- $found_host = true;
- }
-
if($found_host == false) {
display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding");
exit;
OpenPOWER on IntegriCloud