Skip to:
Content
Pages
Categories
Search
Top
Bottom

Nonce check fail using reverse proxy

  • @thomasbf

    Participant

    I setup a server on a non standard port that is receiving requests from a reverse proxy. This setting is causing the bhp nonce check fail.

    This is function bbp_verify_nonce_request in bbp-common-functions.php
    I’m not a PHP Programmer but it looks like this is caused by

    if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) 
    

    Here the system tries to compare request_url and home url, however this is not identical in a reverse proxy setting, because the request is going to the internal server, while the home_url contains the url of the external web server.
    Does this make sense?
    To verify the theory I just removed the comparison of the URL’s like this:

    if ( empty( $result ) || empty( $action ) )
    

    Now it works, but I hope that I did not open a security issue.
    Can I kindly ask for advice on how to better set the system to avoid the issue?
    Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)
  • @zaerl

    Participant

    WordPress and bbPress use $_SERVER[‘HTTP_HOST’] here and there and this is a bad thing if a reverse proxy is involved.

    If you are using Apache mod_proxy use:

    http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost

    If you’re an nginx guy go with:

    proxy_set_header Host $http_host;

    Also check if you are using HTTP_X_FORWARDED_HOST in the correct way, in order to get the “real” IP address of the request.

    Do not touch bbp_verify_nonce_request.

    @johnjamesjacoby

    Keymaster

    This does make sense, but opens up a security hole in the process. The purpose of this function is to make sure that requests go to the same place they came from, and you’re basically removing that part of it completely.

    I put a filter on the $requested_url variable for 2.2; it will allow people with this type of configuration to swap out the URL contents, essentially setting your own match criteria.

    What @zaerl says still holds completely true, however. Handling this at the server level should be the first thing you do.

    @thomasbf

    Participant

    Thanks so much for your kind advice.
    Solving it on the proxy host as proposed by @zaerl is most likely the best way, however reverse proxy is running on a shared web hoster system, and I just have a web-Interface to enter the forward address. I’ll check, but maybe it’s not possible to apply the parameters suggested by @zaerl.
    Maybe there is a chance HTTP_X_FORWARDED_HOST is set, then I could use
    something like this(??):

    $_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"]
    

    (sorry if this is wrong syntax, but I don’t know PHP)
    I’ll have a look at 2.2 once it ‘s released. Maybe this also helpful.
    BTW: Is a nonce check not usually using a cryptographic hash (token). I wonder here you just check HTTP-Header attributes?Is this a strong check?

    @johnjamesjacoby

    Keymaster

    The result of the nonce check comes from WordPress’s function: wp_verify_nonce()

    It does the token check like you’re looking for.

    @thomasbf

    Participant

    Was offline for a week and finally found some time to give it a try. I used the coding below to use HTTP_X_FORWARDED_HOST if it’s provided for function bhp_verify_nonce_request, so I do not skip any checks this way.


    function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {

    // Get the home URL
    $home_url = strtolower( home_url() );

    // Build the currently requested URL
    $scheme = is_ssl() ? 'https://' : 'http://';
    $request_host = $_SERVER["HTTP_X_FORWARDED_HOST"]? $_SERVER["HTTP_X_FORWARDED_HOST"] : $_SERVER["HTTP_HOST"];
    $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );

    // Check the nonce
    $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;

    // Nonce check failed
    if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 ) )
    $result = false;

    // Do extra things
    do_action( 'bbp_verify_nonce_request', $action, $result );

    return $result;
    }

    @johnjamesjacoby

    Keymaster

    I added a filter called ‘bbp_verify_nonce_request_url’ in to bbPress 2.2 address this.

    A few other resources worth reading:

    https://core.trac.wordpress.org/ticket/16858
    https://core.trac.wordpress.org/ticket/18944
    https://core.trac.wordpress.org/ticket/17168#comment:15

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.
Skip to toolbar