Miggo Logo

CVE-2022-23556:
CodeIgniter4 allows spoofing of IP address when using proxy

7

CVSS Score
3.1

Basic Information

EPSS Score
0.21404%
Published
12/22/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
codeigniter4/frameworkcomposer< 4.2.114.2.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how getIPAddress() handled proxy IP validation. Pre-patch versions allowed $proxyIPs to be configured as a string/comma-list, which led to insufficient verification of client IP headers. The method checked multiple headers (X-Forwarded-For, Client-IP, etc.) without properly validating whether the connecting proxy itself was trusted, enabling IP spoofing if the server was behind a reverse proxy. The commit 5ca8c99 fundamentally changed $proxyIPs to require explicit proxy-IP-to-header mappings, and added validation checks that were previously missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility m*y *llow *tt**k*rs to spoo* t**ir IP ***r*ss w**n your s*rv*r is ***in* * r*v*rs* proxy. ### P*t***s Up*r*** to v*.*.** or l*t*r, *n* *on*i*ur* `*on*i*\*pp::$proxyIPs`. ### Work*roun*s *o not us* `$r*qu*st->**tIP***r*

Reasoning

T** vuln*r**ility st*mm** *rom *ow **tIP***r*ss() **n*l** proxy IP v*li**tion. Pr*-p*t** v*rsions *llow** $proxyIPs to ** *on*i*ur** *s * strin*/*omm*-list, w*i** l** to insu**i*i*nt v*ri*i**tion o* *li*nt IP *****rs. T** m*t*o* ****k** multipl* ****