I wasn’t able to find any information about how to report security vulnerabilities in Caddy or Caddy plugins on the Caddy homepage so I figured a community forum thread would be appropriate disclosure.
I discovered a class of trivial DoS bugs in the HAProxy PROXY V2 parsing in the http.proxyprotocol Caddy plugin.
I opened the following Github issues with details and reproduction steps (including a Caddyfile and sample panic output from Caddy v1.0.1):
- Invalid V2 PROXY data causes parsing panics/denial-of-service · Issue #1 · mastercactapus/proxyprotocol · GitHub
- Denial of service vulnerability with invalid v2 PROXY data · Issue #8 · mastercactapus/caddy-proxyprotocol · GitHub
As I mentioned in the plugin issue the documentation for this plugin should be much stronger in its language to recommend a source address filter. Using a filter would help mitigate this vulnerability and I recommend users of this plugin ensure that they have such a filter configured until the
github.com/mastercactapus/proxyprotocol package and the
caddy-proxyprotocol plugin have been updated with a fix.
More importantly without using a filter this plugin lets anyone able to send a request to the Caddy server spoof IP metadata (by design). Other webservers (e.g. Apache) that support the HAProxy PROXY protocol include an explicit warning like:
It is critical to only enable this behavior from intermediate hosts (proxies, etc) which are trusted by this server, since it is trivial for the remote useragent to impersonate another useragent.
No such warning is present in the Caddy plugin documentation and I think that’s a clear area for improvement.