-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
is caddy suceptible to confusion attack ? #6521
Comments
There's a lot to unpack in that article... it will take me some time to go through it all... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On his blog, the well known pentester Orange Tsai shows a new class of attacks on modular webservers. His target was Apache httpd and he quickly discovers 9 vulnerabilies that are serious if not critical.
Caddy is written in Go which remove all the memalloc issues (the reason that droves me to it).
However the problem here is the chaining of multiple modules that don't completly share the semantics of the datastruct representing the web request, particularly the mapping between url and filename.
How Caddy main developper (mholt) view the Caddy current situation through this lens?
The text was updated successfully, but these errors were encountered: