GHSA-xffp-6w68-4775: 
PHP vulnerability analysis and mitigation

The vulnerability (GHSA-xffp-6w68-4775) affects the Zend\Http\PhpEnvironment\RemoteAddress class in Zendframework versions 2.2.0 to 2.2.5. This class is designed to detect IP addresses for incoming proxied requests via the X-Forwarded-For header while considering trusted proxy server IPs. The vulnerability was discovered and disclosed on October 31, 2013, affecting the Zendframework's ability to properly validate proxy server trust relationships (Zend Advisory).

The vulnerability stems from the RemoteAddress class not properly validating whether the IP address in PHP's $SERVER['REMOTEADDR'] was in the trusted proxy server list. According to the IETF draft specification, if $SERVER['REMOTEADDR'] is not a trusted proxy, it must be considered the originating IP address, and the X-Forwarded-For header value must be disregarded. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (GitHub Advisory).

The vulnerability could lead to remote address spoofing, potentially allowing attackers to manipulate the perceived origin of requests. This could result in bypass of IP-based security controls and potentially lead to unauthorized access to protected resources. The impact primarily affects the integrity of IP address validation, though there are no direct confidentiality or availability impacts (GitHub Advisory).

The vulnerability was patched in version 2.2.5 of Zendframework. The fix involves modifying the RemoteAddress class to immediately return the value of $SERVER['REMOTEADDR'] if it's not in the list of trusted proxy servers, without examining the X-Forwarded-For header. Users are recommended to upgrade to version 2.2.5 or later, especially if they use the RemoteAddr Zend\Session validator and are configuring trusted proxies (Zend Advisory).