Full Disclosure mailing list archives

Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability

From: PsychoBilly <zpamh0l3 () gmail com>
Date: Fri, 23 Aug 2013 13:26:31 +0200


( hello list, i'm Musn'tLive, I warn you want it a serious XSS Xploit in [ Insert whatever insignificant CMS here ],
The Xploit reside in trigger logged admin that click a craft mail. Thank you Acunetix for finding that. )


[[   xnite () xnite org   ]] @ [[   22/08/2013 20:43   ]]--------------------------------------------------

That's a nice trick and all, but I don't see how it's valuable. In order to trigger the XSS you need to modify your 
browser headers, therefore any victim who you are trying to get to a page to execute your XSS would need to also 
modify THEIR browser
headers. I don't see how this is any thing more than a neat trick. Sorry.

On Thursday 22 August 2013 23:18:03 Glenn Grant wrote:

Details below of an XSS vulnerability I discovered in Cloudflare (markdown format)


- Glenn | /dev/alias

* http://blog.devalias.net

* http://devalias.net


-----


**Reference Number:** DAHAX-2013-001 (/dev/alias/hacks 2013-001)


**Notification Timeline:**


* 10/07/2013, Request# 38713 (https://support.cloudflare.com/anonymous_requests/new)

* 10/07/2013, Vendor looking into issue

* 16/07/2013, Updated vendor with new details (Length: 101 instead of 72)

* 16/07/2013, Vendor requested that I test again

* [No further response from vendor]

* 01/08/2013, Tested again, vulnerability fixed


**Details Published:** 14/08/2013 
(http://blog.devalias.net/post/58217238426/dahax-2013-001-cloudflare-xss-vulnerability)


## What?


* Reflected XSS (cross site scripting) attack


## Where's Affected?


* Theoretically it seems that any page that uses cloudflare will be affected.

  - Eg: http://www.cloudflare.com/


## How?


* **To bring up the vulnerable page**

  - Set your X-Forwarded-For header to <del>72+</del> 101+ characters

    - <del>Eg: X-Forwarded-For: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHH</del>

    - Eg: <pre>X-Forwarded-For: 
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK</pre>

  - Load a site using cloudflare

  - You should end up on "DNS Points to Prohibited IP" page


* **To trigger the XSS**

  - Set your User-Agent string to the XSS attack

    - Eg: <pre>User-Agent: USER-AGENT being tested for XSS..<script>alert('Vulnerable to XSS via USER-AGENT header 
[Found by devalias.net <http://devalias.net>]')</script></pre>


* **The whole attack**

  - Ensure your X-Forwarded-For and User-Agent headers are configured as above

  - Navigate to a page using cloudflare

  - ???

  - Profit!


## Who?


* Discovered by [Glenn '/dev/alias' Grant](http://www.devalias.net/) (glenn () devalias net <mailto:glenn () devalias 
net>)


## Responsible Disclosure Notice


* Following in the footsteps of Google's vulnerability disclosure timeline, unless otherwise agreed to beforehand, I 
reserve the right to publicly announce the details of any discovered vulnerabilities 7 days post notification.

  * **Google's Rationale:** "Seven days is an aggressive timeline and may be too short for some vendors to update 
their products, but it should be enough time to publish advice about possible mitigations, such as temporarily 
disabling a service,
restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a 
patch or advisory, we will support researchers making details available so that users can take steps to protect 
themselves. By holding
ourselves to the same standard, we hope to improve both the state of web security and the coordination of 
vulnerability management." - 
[Google](http://googleonlinesecurity.blogspot.com.au/2013/05/disclosure-timeline-for-vulnerabilities.html)





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[DAHAX-2013-001] Cloudflare XSS Vulnerability Glenn Grant (Aug 22)
- Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability xnite (Aug 22)
  - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability Ryan Dewhurst (Aug 22)
    - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability andfarm (Aug 22)
  - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability Julius Kivimäki (Aug 23)
    - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability Bart van Tuil (Aug 23)
    - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability jonathan schatz (Aug 24)
  - Re: [DAHAX-2013-001] Cloudflare XSS Vulnerability PsychoBilly (Aug 23)