Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability

[Ryan Dewhurst <ryandewhurst () gmail com>]

I presume you could use CSRF and then XMLHttpRequest to set the
X-Forwarded-For and
User-Agent header.

The user would not need to modify anything, just visit a page that you
control/ed.


On Thu, Aug 22, 2013 at 8:43 PM, <xnite () xnite org> wrote:

> **
>
> That's a nice trick and all, but I don't see how it's valuable. In order
> to trigger the XSS you need to modify your browser headers, therefore any
> victim who you are trying to get to a page to execute your XSS would need
> to also modify THEIR browser headers. I don't see how this is any thing
> more than a neat trick. Sorry.
>
>
> On Thursday 22 August 2013 23:18:03 Glenn Grant wrote:
>
> Details below of an XSS vulnerability I discovered in Cloudflare (markdown
> format)
>
>
> - Glenn | /dev/alias
>
> * http://blog.devalias.net
>
> * http://devalias.net
>
>
> -----
>
>
> **Reference Number:** DAHAX-2013-001 (/dev/alias/hacks 2013-001)
>
>
> **Notification Timeline:**
>
>
> * 10/07/2013, Request# 38713 (
> https://support.cloudflare.com/anonymous_requests/new)
>
> * 10/07/2013, Vendor looking into issue
>
> * 16/07/2013, Updated vendor with new details (Length: 101 instead of 72)
>
> * 16/07/2013, Vendor requested that I test again
>
> * [No further response from vendor]
>
> * 01/08/2013, Tested again, vulnerability fixed
>
>
> **Details Published:** 14/08/2013 (
> http://blog.devalias.net/post/58217238426/dahax-2013-001-cloudflare-xss-vulnerability
> )
>
>
> ## What?
>
>
> * Reflected XSS (cross site scripting) attack
>
>
> ## Where's Affected?
>
>
> * Theoretically it seems that any page that uses cloudflare will be
> affected.
>
>   - Eg: http://www.cloudflare.com/
>
>
> ## How?
>
>
> * **To bring up the vulnerable page**
>
>   - Set your X-Forwarded-For header to <del>72+</del> 101+ characters
>
>     - <del>Eg: X-Forwarded-For:
> AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHH</del>
>
>     - Eg: <pre>X-Forwarded-For:
> AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK</pre>
>
>   - Load a site using cloudflare
>
>   - You should end up on "DNS Points to Prohibited IP" page
>
>
> * **To trigger the XSS**
>
>   - Set your User-Agent string to the XSS attack
>
>     - Eg: <pre>User-Agent: USER-AGENT being tested for
> XSS..<script>alert('Vulnerable to XSS via USER-AGENT header [Found by
> devalias.net]')</script></pre>
>
>
> * **The whole attack**
>
>   - Ensure your X-Forwarded-For and User-Agent headers are configured as
> above
>
>   - Navigate to a page using cloudflare
>
>   - ???
>
>   - Profit!
>
>
> ## Who?
>
>
> * Discovered by [Glenn '/dev/alias' Grant](http://www.devalias.net/) (
> glenn () devalias net)
>
>
> ## Responsible Disclosure Notice
>
>
> * Following in the footsteps of Google's vulnerability disclosure
> timeline, unless otherwise agreed to beforehand, I reserve the right to
> publicly announce the details of any discovered vulnerabilities 7 days post
> notification.
>
>   * **Google's Rationale:** "Seven days is an aggressive timeline and may
> be too short for some vendors to update their products, but it should be
> enough time to publish advice about possible mitigations, such as
> temporarily disabling a service, restricting access, or contacting the
> vendor for more information. As a result, after 7 days have elapsed without
> a patch or advisory, we will support researchers making details available
> so that users can take steps to protect themselves. By holding ourselves to
> the same standard, we hope to improve both the state of web security and
> the coordination of vulnerability management." - [Google](
> http://googleonlinesecurity.blogspot.com.au/2013/05/disclosure-timeline-for-vulnerabilities.html
> )
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/