search

greenpau / caddy-security

๐Ÿ” Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. ๐Ÿ’Ž Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. ๐Ÿ’Ž Authorization with JWT/PASETO tokens. ๐Ÿ”
https://authcrunch.com/
Apache License 2.0
1.49k stars 73 forks source link

X-Forwarded-Host Header Manipulation #269

Open ahpaleus opened 1 year ago

ahpaleus commented 1 year ago

Severity: Medium

The caddy-security plugin processes the X-Forwarded-Host header, which could lead to various security vulnerabilities (web cache poisoning, business logic flaws, routing-based server-side request forgery [SSRF], and classic server-side vulnerabilities). Additionally, the caddy-security plugin generates QR codes based on this header, which extends the attack surface.

Injecting host override header:

GET /admin/logout HTTP/2
Host: portal.caddysecurity.network
X-Forwarded-Host: portal.caddysecurity.network.evil.domain
HTTP/2 302 Found
Cache-Control: no-store
Location: https://portal.caddysecurity.network.evil.domain/admin/login
Pragma: no-cache
Server: Fly/a0b91024 (2023-06-13)
Set-Cookie: AUTHP_SESSION_ID=v14BZF1mtU6iAVYAMMDPROWMZy2pfmrpad7xUbZhP; Domain=caddysecurity.network; Path=/; Secure; HttpOnly;
Set-Cookie: access_token=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Set-Cookie: AUTHP_REDIRECT_URL=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Set-Cookie: AUTHP_SESSION_ID=delete; Domain=caddysecurity.network; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Date: Wed, 19 Jul 2023 08:12:13 GMT
Content-Length: 0

For example:

By manipulating X-Forwarded-related headers, we can manipulate the PNG outcome:

GET /qrcode/ HTTP/2
Host: portal.caddysecurity.network
Cookie: AUTHP_SESSION_ID=<redacted>; access_token=<redacted>
X-Forwarded-Host: test123test123
Content-Length: 2
HTTP/2 200 OK
Content-Type: image/png
Server: Fly/a0b91024 (2023-06-13)
Date: Fri, 21 Jul 2023 13:59:13 GMT
Content-Length: 474

๏ฟฝPNG
// (...)

image

To mitigate this issue, do not rely on the Host and X-Forwarded-Host headers in the caddy-security plugin logic. Instead, use the current domain manually specified in the configuration file to generate a QR code.

In addition, we recommend the following:

More information about our Caddy Security public disclosure: