Vulnerability in EPiServer.Forms
I've been looking at the recent blog post about using visitor groups with a CDN and the X-Forwarded-For (XFF) header. After experimenting with a code based implementation, I came across the implementation of IClientIPAddressResolver which pulls the header/expected proxy count from config. The default Implementation also appears to correctly address the XFF client IP spoofing scenario according to the defined configuration.
Please can we have the criteria pack changed to also use this interface? This would allow us to detect the actual client IP rather than a proxy's ip.