4 matches found
Improper Neutralization of Equivalent Special Elements
Overview Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in matcher.go, when matching filenames using the tryfiles directive, which does not properly handle backslashes. An attacker can bypass security protections by exploiting glob...
Improper Neutralization of Equivalent Special Elements
Overview github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver is a fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements in matcher.go, when matching filenam...
GHSA-4XRR-HQ4W-6VF4 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
Summary The path sanitization in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. Details The tryfiles directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the...