📦 about 🧻 posts

The guys on the forums found quite a glaring security/privacy issue with Cloudflare. Cloudflare sits on top of your site, every request that is made from your site goes through cloudflare first. This allows them to do some cool things, like prevent DDOS attacks and automatically cache and minify content. It automatically caches files with these extensions:

css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, swf,  midi, mid, ttf, eot, woff, svg, svgz

Which is great, but imagine you have cloudflare on your site:

www.mysite.com

And you have a PM system:

www.mysite.com/messages/

Someone could potentially make you visit this URL (linked in an image maybe?)

www.mysite.com/messages/?.jpg

And then it would be cached in cloudflare – so then they could visit that URL and see the cached version.

This can be prevented with the Cache Level settting in Cloudflare, which stops it taking notice of extensions on the query string. Which’ll save you from these type of attacks – unless you have friendly URLs on your site. In which case you need to make them more secure by not allowing stuff to be added to the end.

question_answer

Add a Comment

An error has occurred. This application may no longer respond until reloaded. Reload 🗙