Описание
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
Summary
The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.
Details
-
Gin is created with defaults (
gin.Default()), which setsTrustedProxies = 0.0.0.0/0and usesX-Forwarded-For/X-Real-IPto computeClientIP(). -
IP-based controls rely on
ClientIP():- AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
- API IP whitelist (core/middleware/api_auth.go).
- "localhost-only" checks that depend on
ClientIP().
-
Because no trusted-proxy range is enforced, any client can send
X-Forwarded-For: 127.0.0.1(or a whitelisted IP) and be treated as coming from that address.
Impact
All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and “localhost-only” protections.
Пакеты
github.com/1Panel-dev/1Panel
< 2.0.14
2.0.14
github.com/1Panel-dev/1Panel/agent
< 0.0.0-20251201063338-94f7d78cc976
0.0.0-20251201063338-94f7d78cc976
Связанные уязвимости
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.