Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is caddy suceptible to confusion attack ? #6521

Open
aglossa opened this issue Aug 16, 2024 · 1 comment
Open

is caddy suceptible to confusion attack ? #6521

aglossa opened this issue Aug 16, 2024 · 1 comment

Comments

@aglossa
Copy link

aglossa commented Aug 16, 2024

On his blog, the well known pentester Orange Tsai shows a new class of attacks on modular webservers. His target was Apache httpd and he quickly discovers 9 vulnerabilies that are serious if not critical.

Caddy is written in Go which remove all the memalloc issues (the reason that droves me to it).
However the problem here is the chaining of multiple modules that don't completly share the semantics of the datastruct representing the web request, particularly the mapping between url and filename.

How Caddy main developper (mholt) view the Caddy current situation through this lens?
@mholt
Copy link
Member

mholt commented Aug 16, 2024

There's a lot to unpack in that article... it will take me some time to go through it all...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mholt @aglossa