-
-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Status of security vulnerabilities? #349
Comments
Thanks for raising this.. Spoke too soon. I see the Severity against each one. thanks for adding that !! |
@mdbraber , majority of these vulnerabilities are not directly related to the plugin. They are something that you would harden yourself. For example, you can configure caddy to drop/block X headers.
if one considers the above a security vulnerability … lol |
@mdbraber , the admin panel was completely rebuild. That issue is not being valid. |
@mdbraber , more importantly … do you see the people who reported these vulnerabilities being engaged? It is like 10 person team. Ask yourself the reason they reported it. Are they working for someone looking to undermine caddy server? These are hired guns. From their website. Apparently, I need to hire them to fix the bugs they found. |
@mdbraber , take a look at these.
Say you can spoof X- header (I spoof User Agent header), what would that give you? What is the impact? Why spoofing |
@mdbraber , thank you for raising this issue. It helps refreshing memory around the issue. I try my best to patch what I see is valid. For example, please see my comment here: #268 (comment). |
Hey @greenpau, as we mentioned in the blog post, we reviewed your software because we were considering using it. We're not working for anyone else, and we weren't asked to review it by anyone else. Also, we are a 125 person team. We reported these vulnerabilities to you privately first, but you responded that you wouldn't be fixing them. As is standard for the security community, we then put out an advisory to help users of this software be aware and mitigate these security issues through other means. The writeup on our blog clearly articulates a patching strategy for each bug, including both short and long-term fixes. I would encourage you to help setup efforts to solicit patches and remediation efforts along those lines. -Dan (the CEO) |
@dguido , that’s what I mean. You have a large team of individuals. If you wanted to fix something, commit resources and fix it. Filing nonsense like “ ReadFileBytes panics when a provided path is empty” does not help anyone.
Whoever reads it, ask yourselves what would you do when a “corporation” comes to you and asks you to fix something? And how would you respond? That “ask” comes with a threat of publishing by X date if you are not fixing it. Well … I said nicely “* you. Not doing it.”
OK. |
@dguido , I thank you and your team for doing the assessment. I did address some of the issues you team uncovered (redirect url), but did it on my own timeline and when I had the time. I do take issue with the quality of some of the findings. |
So what's the final outcome of this? It's a non-issue from what I gather? Can I just strip that header out of incoming requests and how would I do that? |
@SinisterSpatula , I am glad you “get it”. If someone has issues with headers, urls, and everything else, there is rewrite directive that can help 😉 |
In September 2023 several security vulnerabilities were reported - almost all of them are still open at this time:
#266 IP Spoofing via X-Forwarded-For Header (severity: medium)
#267 Referer-Based Header XSS (severity: medium)
#268 Open Redirection Vulnerability (severyity: medium)
#269 X-Forwarded-Host Header Manipulation (severity: medium)
#270 X-Forwarded-Proto Header Manipulation (severity: low)
#271 2FA Bypass by Brute-Forcing Verification Codes (severity: low)
#272 Lack of User Session Invalidation on Logout (severity: low)
#273 Stored XSS in admin panel triggerable by CSRF (severity: high)
#274 No CSRF Mitigation in Caddy Security Admin Panel
#275 ReadFileBytes panics when a provided path is empty
https://github.com/search?q=repo%3Agreenpau%2Fcaddy-security%20is%3Aissue%20is%3Aopen%20label%3Asecurity%20&type=issues
@ahpaleus reported these and wrote a report here https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/. The report mentions that @greenpau indicated there were no near-term plans to act on these vulnerabilities.
I thoroughly appreciate all the work a maintainer like @greenpau is doing as a FOSS maintainer on building caddy-security. At the same time I'm wondering what is the likeliness caddy-security could be considered safe enough to use in a (semi)production environment to secure sensitive information. @greenpau do you have any ideas / suggestions on how to assess these issues?
Thanks for considering!
The text was updated successfully, but these errors were encountered: