Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Status of security vulnerabilities? #349

Closed
mdbraber opened this issue Jul 8, 2024 · 12 comments
Closed

Status of security vulnerabilities? #349

mdbraber opened this issue Jul 8, 2024 · 12 comments
Assignees
Labels
need triage question Further information is requested

Comments

@mdbraber
Copy link

mdbraber commented Jul 8, 2024

In September 2023 several security vulnerabilities were reported - almost all of them are still open at this time:

#266 IP Spoofing via X-Forwarded-For Header (severity: medium)
#267 Referer-Based Header XSS (severity: medium)
#268 Open Redirection Vulnerability (severyity: medium)
#269 X-Forwarded-Host Header Manipulation (severity: medium)
#270 X-Forwarded-Proto Header Manipulation (severity: low)
#271 2FA Bypass by Brute-Forcing Verification Codes (severity: low)
#272 Lack of User Session Invalidation on Logout (severity: low)
#273 Stored XSS in admin panel triggerable by CSRF (severity: high)
#274 No CSRF Mitigation in Caddy Security Admin Panel
#275 ReadFileBytes panics when a provided path is empty

https://github.com/search?q=repo%3Agreenpau%2Fcaddy-security%20is%3Aissue%20is%3Aopen%20label%3Asecurity%20&type=issues

@ahpaleus reported these and wrote a report here https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/. The report mentions that @greenpau indicated there were no near-term plans to act on these vulnerabilities.

I thoroughly appreciate all the work a maintainer like @greenpau is doing as a FOSS maintainer on building caddy-security. At the same time I'm wondering what is the likeliness caddy-security could be considered safe enough to use in a (semi)production environment to secure sensitive information. @greenpau do you have any ideas / suggestions on how to assess these issues?

Thanks for considering!

@mdbraber mdbraber added need triage question Further information is requested labels Jul 8, 2024
@gedw99
Copy link

gedw99 commented Jul 9, 2024

Thanks for raising this..

Spoke too soon. I see the Severity against each one. thanks for adding that !!

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

@mdbraber , majority of these vulnerabilities are not directly related to the plugin. They are something that you would harden yourself. For example, you can configure caddy to drop/block X headers.

ReadFileBytes panics when a provided path is empty

if one considers the above a security vulnerability … lol

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

Stored XSS in admin panel triggerable by CSRF

@mdbraber , the admin panel was completely rebuild. That issue is not being valid.

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

@mdbraber , more importantly … do you see the people who reported these vulnerabilities being engaged? It is like 10 person team. Ask yourself the reason they reported it. Are they working for someone looking to undermine caddy server? These are hired guns.

From their website. Apparently, I need to hire them to fix the bugs they found.

image

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

@mdbraber , take a look at these.

#266 IP Spoofing via X-Forwarded-For Header (severity: medium)
#269 X-Forwarded-Host Header Manipulation (severity: medium)
#270 X-Forwarded-Proto Header Manipulation (severity: low)

Say you can spoof X- header (I spoof User Agent header), what would that give you? What is the impact? Why spoofing X-Forwarded-Host is medium and X-Forwarded-Proto is low?

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

@mdbraber , thank you for raising this issue. It helps refreshing memory around the issue. I try my best to patch what I see is valid. For example, please see my comment here: #268 (comment).

@dguido
Copy link

dguido commented Jul 9, 2024

Hey @greenpau, as we mentioned in the blog post, we reviewed your software because we were considering using it. We're not working for anyone else, and we weren't asked to review it by anyone else. Also, we are a 125 person team.

We reported these vulnerabilities to you privately first, but you responded that you wouldn't be fixing them. As is standard for the security community, we then put out an advisory to help users of this software be aware and mitigate these security issues through other means.

The writeup on our blog clearly articulates a patching strategy for each bug, including both short and long-term fixes. I would encourage you to help setup efforts to solicit patches and remediation efforts along those lines.

-Dan (the CEO)

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

Also, we are a 125 person team.

@dguido , that’s what I mean. You have a large team of individuals. If you wanted to fix something, commit resources and fix it. Filing nonsense like “ ReadFileBytes panics when a provided path is empty” does not help anyone.

We reported these vulnerabilities to you privately first, but you responded that you wouldn't be fixing them. As is standard for the security community, we then put out an advisory to help users of this software be aware and mitigate these security issues through other means.

Whoever reads it, ask yourselves what would you do when a “corporation” comes to you and asks you to fix something? And how would you respond? That “ask” comes with a threat of publishing by X date if you are not fixing it. Well … I said nicely “* you. Not doing it.”

The writeup on our blog clearly articulates a patching strategy for each bug, including both short and long-term fixes. I would encourage you to help setup efforts to solicit patches and remediation efforts along those lines.

OK.

@greenpau
Copy link
Owner

greenpau commented Jul 9, 2024

@dguido , I thank you and your team for doing the assessment. I did address some of the issues you team uncovered (redirect url), but did it on my own timeline and when I had the time. I do take issue with the quality of some of the findings.

@mdbraber
Copy link
Author

@greenpau @dguido thanks for chiming in; I'm thankful to see these issues (whether or not specifically security related) are getting some attention. I'll close this issue as we can track the other individual issues.

@SinisterSpatula
Copy link

So what's the final outcome of this? It's a non-issue from what I gather? Can I just strip that header out of incoming requests and how would I do that?

@greenpau
Copy link
Owner

Can I just strip that header out of incoming requests and how would I do that?

@SinisterSpatula , I am glad you “get it”. If someone has issues with headers, urls, and everything else, there is rewrite directive that can help 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
need triage question Further information is requested
Projects
None yet
Development

No branches or pull requests

5 participants