New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: waline fake any ip vulnerability #785
Comments
|
As I know, there has no way to get user ip from client trustly. And |
|
Can we get the remoteIP and ban the remoteIp together? If necessary, ban all the ips in |
|
(I majored in physics, though), but I had a NRCE 3 test. A tcp connet needs 3 handshake, so at least the remoteIP can not be faked in my mind. Is there any difficulties blocking it? (Such as can not get it in Node?) Or are there side effects doing that? |
|
This vulnerability is usually caused by a misconfiguration on the server side. Because IP frequency limits depend on obtaining the correct IP, how to obtain the correct IP rather than IPQPS is the fundamental solution to the problem. It's easy to fake X-Forwarded-For, and it should be used with great care. Get the client IP for the direct TCP connection using RemoteAddr. Software maintainers have provided a solution to this vulnerability. There is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.(#792 (reply in thread)) In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. (#792 (reply in thread)) |
|
Here's another way to do it. |
|
There is no more information here, I will close it, if you have other solutions please leave a message below. |

问题描述 | Describe the bug
waline-fake-any-ip-poc
A Proof-Of-Concept for the recently found waline fake any ip vulnerability.
In this repository we have made and example vulnerable application and proof-of-concept (POC) exploit of it.
Proof-of-concept (POC)
As a PoC we have created a python file that automates the process.
Requirements:
Usage:
Source:
Result:
Our vulnerable application
waline deploy:
data store:
get started:
https://waline.js.org/guide/get-started.html
Influence
IP-based comment posting frequency limits IPQPS may be rendered useless.
This vulnerability can be used to fake the IP address and bypass the IP frequency limit of the comment system software(waline), so that the comment system administrator cannot accurately obtain the IP address of the sender.
Reason
This vulnerability is usually caused by a misconfiguration on the server side.
References
Exploit in the field
According to the issues of Github of the project waline, from July 18 to July 20, 2021, an attacker bombarded all websites using Waline by Posting spam comments with faked IP addresses, so it is speculated that this vulnerability has been exploited in the field.
Solutions
Software maintainers have provided a solution to this vulnerability.
There is nothing we can do about it on vercel. But we should be able to block these requests on a self hold env.(#792 (reply in thread))
In self host mode, we can set maxIpsCount to proxy server layers to get a real ip. https://koajs.com/#settings (#792 (reply in thread))
Disclaimer
This repository is not intended to be a one-click exploit to waline fake any ip vulnerability. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.
Our team will not aid, or endorse any use of this exploit for malicious activity, thus if you ask for help you may be required to provide us with proof that you either own the target service or you have permissions to pentest on it.
LICENSE
问题网站 | Website URL
https://waline.js.org
服务部署在哪里? | Where your waline deploy?
Vercel (Default)
数据存储在哪里?| Where your comment data store?
LeanCloud(https://leancloud.app)
The text was updated successfully, but these errors were encountered: