The forum of the forums
Welcome to the Official Support Forum of Forumotion!

To take full advantage of everything offered by our forum, please log in if you are already a member, or join our community if you've not yet.



Create a free forum like this one.

List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

View previous topic View next topic Go down

Solved List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by Jakovec12 on February 24th 2017, 3:51 pm

Regarding a recent vulnerability exposed in Cloudflare's (a traffic proxying site) infrastructure. For months now, there has been a vulnerability that allowed data transmitted between Cloudflare's proxy servers and the target server to be exposed.

Affected sites can be found in this list (forumotion is on list as well):
https://github.com/pirate/sites-using-cloudflare

Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
https://www.reddit.com/r/sysadmin/comments/5vu3yn/cloudbleed_seceurity_bug_cloudflare_reverse/


Should people change passwords from your site and ours that has been made by forumotion?


Last edited by Jakovec12 on February 24th 2017, 8:46 pm; edited 1 time in total
avatar
Jakovec12
New Member

Posts : 4
Reputation : 1
Language : Croatia

http://gamemunity.team-talk.net/

Back to top Go down

Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by Dr Jay on February 24th 2017, 4:50 pm

Password change is not necessary due to the nature of this kind of problem. This is more of a communications vulnerability rather than a vulnerability of accounts being hacked.

The largest of problems, especially for Forumotion, might by automatic HTTPS rewrites; however, the table at the bottom of the Cloudflare blog you linked to shows that this entire vulnerability has been solved:

Cloudflare wrote:2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
2017-02-18 0032 Cloudflare receives details of bug from Google
2017-02-18 0040 Cross functional team assembles in San Francisco
2017-02-18 0119 Email Obfuscation disabled worldwide
2017-02-18 0122 London team joins
2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

2017-02-20 2159 SAFE_CHAR fix deployed globally

2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide
avatar
Dr Jay
Forumember

Male Posts : 92
Reputation : 7
Language : English
Location : USA(UTC-5)

http://www.geekpolice.net

Back to top Go down

Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by Chapo on February 24th 2017, 5:34 pm

Hello,

don't worry about this Cloudflare vulnerability: we use Cloudflare as a NS on some creation site (and only that) and the vulnerability affects Cloudflare proxy service (therefore not used by us).
avatar
Chapo
Technician
Technician

Posts : 37
Reputation : 14
Language : PHP ;)

http://www.forumactif.com

Back to top Go down

Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by Dr Jay on February 24th 2017, 5:36 pm

Thanks for letting us know @Chapo and for verifying nothing to worry about. Smile
avatar
Dr Jay
Forumember

Male Posts : 92
Reputation : 7
Language : English
Location : USA(UTC-5)

http://www.geekpolice.net

Back to top Go down

Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by Jakovec12 on February 24th 2017, 8:46 pm

Thanks for the info. Smile
avatar
Jakovec12
New Member

Posts : 4
Reputation : 1
Language : Croatia

http://gamemunity.team-talk.net/

Back to top Go down

Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Post by SLGray on February 24th 2017, 9:49 pm

Problem solved & topic archived.
Please read our forum rules:  ESF General Rules


When your topic has been solved, ensure you mark the topic solved.
Never post your email in public.

avatar
SLGray
Administrator
Administrator

Male Posts : 40515
Reputation : 2733
Language : English
Location : United States

https://fmthemes.forumotion.com/

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum