Cloudflare security issues

The guys on the forums found quite a glaring security/privacy issue with Cloudflare. Cloudflare sits on top of your site, every request that is made from your site goes through cloudflare first. This allows them to do some cool things, like prevent DDOS attacks and automatically cache and minify content. It automatically caches files with these extensions:

css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, swf,  midi, mid, ttf, eot, woff, svg, svgz

Which is great, but imagine you have cloudflare on your site:

www.mysite.com

And you have a PM system:

www.mysite.com/messages/

Someone could potentially make you visit this URL (linked in an image maybe?)

www.mysite.com/messages/?.jpg

And then it would be cached in cloudflare – so then they could visit that URL and see the cached version.

This can be prevented with the Cache Level settting in Cloudflare, which stops it taking notice of extensions on the query string. Which’ll save you from these type of attacks – unless you have friendly URLs on your site. In which case you need to make them more secure by not allowing stuff to be added to the end.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s