[DAHAX-2013-001] Cloudflare XSS Vulnerability

Reference Number: DAHAX-2013-001 (/dev/alias/hacks 2013-001)

Notification Timeline

  • 10/07/2013, Request# 38713 (https://support.cloudflare.com/anonymous_requests/new)
  • 10/07/2013, Vendor looking into issue
  • 16/07/2013, Updated vendor with new details (Length: 101 instead of 72)
  • 16/07/2013, Vendor requested that I test again
  • No response from vendor
  • 01/08/2013, Tested again, vulnerability fixed
  • 22/08/2013, Posted details to full-disclosure
  • 22/08/2013, Vendor confirmed issue has been fixed

Details Published: 14/08/2013 (http://blog.devalias.net)

What?

  • Reflected XSS (cross site scripting) attack

Where's Affected?

How?

  • To bring up the vulnerable page
    • Set your X-Forwarded-For header to 101+ characters
    • Eg:
X-Forwarded-For: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK
  • Load a site using cloudflare
  • You should end up on "DNS Points to Prohibited IP" page
    • To trigger the XSS
  • Set your User-Agent string to the XSS attack
    • Eg:
User-Agent: USER-AGENT being tested for XSS..<script>alert(''Vulnerable to XSS via USER-AGENT header [Found by devalias.net]'')</script>
  • The whole attack
    • Ensure your X-Forwarded-For and User-Agent headers are configured as above
    • Navigate to a page using cloudflare
    • ???
    • Profit!

Who?

Discovered by Glenn 'devalias' Grant (glenn@devalias.net)

Responsible Disclosure Notice

  • Following in the footsteps of Google's vulnerability disclosure timeline, unless otherwise agreed to beforehand, I reserve the right to publicly announce the details of any discovered vulnerabilities 7 days post notification.
    • Google's Rationale: "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." - Google