You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is quite trivial to make the remoteIp field map to something other than the REMOTE_ADDR header. Adding the following to `app/etc/di.xml` will allow you to use HTTP_X_FORWARDED_For as the header you're interested in. With this change a customer can spoof their x forwarded header and inject javascript which will run when an admin views the order in the admin panel.
```
<type name="Magento\Framework\HTTP\PhpEnvironment\RemoteAddress">
<arguments>
<argument name="alternativeHeaders" xsi:type="array">
<item name="http_x_forwarded_for" xsi:type="string">HTTP_X_FORWARDED_FOR</item>
</argument>
</arguments>
</type>
```
A developer may decide to make this change at some point when they want to force all calls to RemoteAddress::getRemoteAddress() to use the X_FORWARDED_FOR instead. Maybe they're working on a plugin that requires it, and have many proxies between the customer and the Magento server.
This vulnerability isn't in the wild for M2 as it requires specific developer changes but I know the plugin ecosystem for M1 had many strange modules, this small change should help protect us from future laziness/craziness.
Either way, this is easily preventable. Simply escaping the output with $block->escapeHtml() will do the trick.
0 commit comments