caddyserver
is caddy suceptible to confusion attack ?
On his blog, the well known pentester Orange Tsai shows a new class of attacks on modular webservers. His target was Apache httpd and he quickly discovers 9 vulnerabilies that are serious if not critical.
Caddy is written in Go which remove all the memalloc issues (the reason that droves me to it). However the problem here is the chaining of multiple modules that don't completly share the semantics of the datastruct representing the web request, particularly the mapping between url and filename.
How Caddy main developper (mholt) view the Caddy current situation through this lens?
There's a lot to unpack in that article... it will take me some time to go through it all...
