Cloudflare security issues

Tuesday, August 16, 2011

The guys on the forums found quite a glaring security/privacy issue with Cloudflare. Cloudflare sits on top of your site, every request that is made from your site goes through cloudflare first. This allows them to do some cool things, like prevent DDOS attacks and automatically cache and minify content. It automatically caches files with these extensions:

css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, swf,  midi, mid, ttf, eot, woff, svg, svgz

Which is great, but imagine you have cloudflare on your site:

www.mysite.com

And you have a PM system:

www.mysite.com/messages/

Someone could potentially make you visit this URL (linked in an image maybe?)

www.mysite.com/messages/?.jpg

And then it would be cached in cloudflare - so then they could visit that URL and see the cached version.

This can be prevented with the Cache Level settting in Cloudflare, which stops it taking notice of extensions on the query string. Which'll save you from these type of attacks - unless you have friendly URLs on your site. In which case you need to make them more secure by not allowing stuff to be added to the end.

More Rubbish

Your Portfolio Gave Me Diarrhea

Friday, October 1, 2021

Motivation

Friday, September 24, 2021

We got married

Thursday, September 16, 2021

Unity Quiz

Sunday, September 6, 2020

Everything We Watched In Lockdown

Thursday, September 3, 2020

Images in Source

Monday, August 15, 2011

Visual Studio for Lua editing

Friday, August 12, 2011

More Android bitching

Wednesday, August 10, 2011

Riots

Tuesday, August 9, 2011

Home Gym

Tuesday, August 9, 2011