Caddy FastCGI Path Handling Vulnerability Leading to Path Confusion and Potential Remote Code Execution

A vulnerability in Caddy's FastCGI path handling prior to version 2.11.1 allows for path confusion, where a request intended for a `.php` file could be misrouted to a different file. This issue arises because the path splitting logic incorrectly processes Unicode characters, leading to an erroneous `SCRIPT_NAME`, `SCRIPT_FILENAME`, and `PATH_INFO`. In environments where file contents can be controlled, such as through uploads, this could result in unintended execution of PHP code, potentially allowing for remote code execution.

Impact

Exploitation of this vulnerability can cause Caddy to execute the wrong file in a PHP environment, particularly if the misrouted file contains PHP code. This could lead to remote code execution, depending on the specific server setup.

Reproduction

The vulnerability can be reproduced by sending a request to a Caddy server with a path that includes a Unicode character that expands when lowercased, such as `Ⱥ`. The FastCGI transport will incorrectly calculate the split point for `.php` files, leading to the execution of a different file than intended.

Remediation

Users can upgrade to Caddy version 2.11.1, where this vulnerability has been fixed.