nextcloud server have implemented IP address-based blocking as a measure to counter Bruteforce protection.
The source IP address is obtained through the getRemoteAddress() function.
lib/public/IRequest.php
public function getRemoteAddress(): string {
$remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
'HTTP_X_FORWARDED_FOR'
// only have one default, so we cannot ship an insecure product out of the box
]);
foreach ($forwardedForHeaders as $header) {
if (isset($this->server[$header])) {
foreach (explode(',', $this->server[$header]) as $IP) {
$IP = trim($IP);
// remove brackets from IPv6 addresses
if (str_starts_with($IP, '[') && str_ends_with($IP, ']')) {
$IP = substr($IP, 1, -1);
}
if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
return $IP;
}
}
}
}
}
It is determined that the IP address is retrieved based on the value of the X-Forwarded-For header when trusted_proxy is configured.
By adding the X-Forwarded-For header with valid ip format it is possible to bypass Bruteforce protection.
Throttler\sleepDelay
function causes a delay in response time.X-Forwarded-For
header with valid ip format, the the delay is eliminated and Bruteforce protection is bypassed.an attacker can bypass bruteforce protection and bruteforce the login.