Caddy Path Sanitization Vulnerability in File Matcher Allows Security Bypass

A vulnerability exists in Caddy's file matcher path sanitization routine, which fails to properly handle backslashes. This oversight can lead to bypassing path-related security protections, particularly for users with specific Caddy and environment configurations. The issue is present in Caddy versions prior to 2.11.0 and can be exploited by crafting request paths that exploit the improper sanitization, potentially bypassing security measures such as access controls or routing directives.

Impact

Exploiting this vulnerability can bypass path-related security protections, such as access controls or routing directives, depending on the Caddy configuration.

Reproduction

To reproduce this vulnerability, create a Caddyfile that uses the 'try_files' directive to rewrite request paths. Ensure that the 'try_files' directive is in the same block as any routing or handling that implements security controls, such as responding with a 403 status. When the Caddy server is running, send a request that includes a backslash in the path, targeting a file or resource that the 'try_files' directive would normally rewrite to a different location. The request should bypass the expected security control and access the resource directly.

Remediation

Upgrade to Caddy version 2.11.1 or later, where this vulnerability has been fixed.