Name of the Vulnerable Software and Affected Versions: SilverStripe (affected versions not specified)

Description: The issue allows spoofing of HTTP headers, which can lead to various security problems, including bypassing IP restrictions and SSL enforcement. This is due to SilverStripe trusting certain HTTP headers by default, which can be exploited by malicious actors unless proper precautions are taken. The impact includes Director::forceSSL() not being enforced, incorrect IP addresses being returned by SS HTTPRequest->getIP(), and spoofed hostnames circumventing restrictions in SilverStripe Controllers.

Recommendations: To mitigate this issue, follow the instructions on Secure Coding: Request hostname forgery to opt-in to the necessary protections. If your website is not behind a reverse proxy and you are using Apache with mod env enabled, ensure you have the line SetEnv BlockUntrustedIPs true in your .htaccess file to potentially already be protected. Consider limiting trusted IPs via the SS TRUSTED PROXY IPS constant to reduce the risk of spoofed requests. As a temporary workaround, consider configuring your proxy to explicitly unset invalid HTTP headers from connecting clients to prevent spoofing requests from being passed through trusted proxies.