Windows security advisory for Caddy < 2.6.3

matt · February 20, 2023, 4:02pm

Adrian Denkiewicz of Doyensec has reported a bug affecting some Caddy versions v2.6.2 and earlier that could reveal files described by the hide parameter of the file_server handler if a client crafts a request using ADS paths.

This bug was fixed here:

github.com/caddyserver/caddy

fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows

caddyserver:master ← caddyserver:windows-staticfiles

opened 05:16PM - 14 Oct 22 UTC

mholt

+15 -1

I didn't even know about these Windows "features" (actually, I knew about short …names as I grew up with them, but didn't know they were _still_ a thing... ugh) that, along with suffixing filenames with spaces and dots, allow an arbitrary number of variants to transparently refer to the same file on Windows NTFS. Thanks to Adrian Denkiewicz of Doyensec for reporting this.

And was mentioned in the release notes which were announced then. The bug affected only Windows deployments.

Thank you to Adrian for the report and helping verify the fix!

system · June 20, 2023, 4:03pm

This topic was automatically closed after 120 days. New replies are no longer allowed.