How to stop potential redirect exploit?

1. Output of caddy version:

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

a. System environment:

Ubuntu 20.04
Docker

d. My complete Caddy config:

{$HOST} {
  handle /api* {
    reverse_proxy api:{$API_PORT}
  }
  handle /uploads* {
    reverse_proxy api:{$API_PORT}
  }
  handle {
    root * /var/www/praise
    try_files {path} /index.html
    encode zstd gzip
    file_server
  }
}

3. The problem I’m having:

I have gotten reports that our website is open to redirect exploits. And, clicking on the below link confirms this, the user is indeed redirected to an unintended external domain.

https://staging.givepraise.xyz/%5C%5Cevil.com/%252e%252e%252f

I have tried all sorts of regular expressions and path matchers but I’m not able to figure out how to capture the above path and prevent the redirect from happening. Ideally I would like to prevent any redirects and allow only the paths I specifically specify.

Just update to v2.5.2.

1 Like

(Also, an “open redirect” is a client problem more than a server problem. GIGO.)

2 Likes

… you mean users should not click on links that have evil.com baked into them?

Thank you for the quick response!

This topic was automatically closed after 30 days. New replies are no longer allowed.