Security flaws in an SSO plugin for Caddy (opens in new tab)

(blog.trailofbits.com)

3 pointseurg2y ago3 comments

3 comments

e12e2y ago

Nice that the post includes a timeline - but considering some of these issues (broken rng, brute force of otp) - it's deeply concerning that the issues won't be fixed?

> August 7, 2023: We reported our findings to the caddy-security plugin maintainers.

> August 23, 2023: The caddy-security plugin maintainers confirmed that there were no near-term plans to act on the reported vulnerabilities.

eurgOP2y ago

Both the bug list and the reaction to it are deeply concerning, if you are depending on this project - but I don't know how much real world use this code gets.

Shows that reviewing dependencies is not optional. Hundreds of stars on GitHub is not a helpful data point, even if my own monkey brain says otherwise.

mholt2y ago

Paul is a bit burnt out and busy with his day job.

j / k navigate · click thread line to collapse