Cloudflare security issues
Tuesday, August 16, 2011
The guys on the forums found quite a glaring security/privacy issue with Cloudflare. Cloudflare sits on top of your site, every request that is made from your site goes through cloudflare first. This allows them to do some cool things, like prevent DDOS attacks and automatically cache and minify content. It automatically caches files with these extensions:
css, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, pdf, pls, ppt, tif, tiff, eps, swf, midi, mid, ttf, eot, woff, svg, svgz
Which is great, but imagine you have cloudflare on your site:
And you have a PM system:
Someone could potentially make you visit this URL (linked in an image maybe?)
And then it would be cached in cloudflare - so then they could visit that URL and see the cached version.
This can be prevented with the Cache Level settting in Cloudflare, which stops it taking notice of extensions on the query string. Which'll save you from these type of attacks - unless you have friendly URLs on your site. In which case you need to make them more secure by not allowing stuff to be added to the end.