Bug #1583
closed
IPv6 IPs with :: trigger DNS rebinding
Added by Chris Buechler almost 13 years ago.
Updated about 12 years ago.
Affected Version:
2.1-IPv6
Description
When browsing to an IPv6 IP containing :: the DNS rebinding check is triggered as the :: causes part of the IP to be dropped before it's checked.
On line 66 in auth.inc, [2101:170:f2f2:1::2] becomes only 2101:170:f2f2:1: where it should be 2101:170:f2f2:1::2.
I currently can not replicate this on my local install but it has not been synced for a few weeks. Also, this install uses a alternate port number for the webui.
Confirmed that without a alternate port you do in fact trigger a DNS rebinding attack.
Found another gem related to this.
The changes have been applied successfully.
One moment...redirecting to http://[2001/system_advanced_admin.php in 20 seconds.
Note that the IP address here is incorrect
- Status changed from New to Feedback
Committed patches for both rebind and referrer checks.
Added patch for redirect url.
- Status changed from Feedback to Resolved
Considering this resolved
Also available in: Atom
PDF
Updated by