The forum of the forums

Would you like to react to this message? Create an account in a few clicks or log in to continue.
The forum of the forums
4 posters

    List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Jakovec12
    Jakovec12
    Jakovec12
    New Member


    Posts : 13
    Reputation : 1
    Language : Croatia
    • Post n°1

    Solved List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by Jakovec12 February 24th 2017, 3:51 pm

    Regarding a recent vulnerability exposed in Cloudflare's (a traffic proxying site) infrastructure. For months now, there has been a vulnerability that allowed data transmitted between Cloudflare's proxy servers and the target server to be exposed.

    Affected sites can be found in this list (forumotion is on list as well):
    https://github.com/pirate/sites-using-cloudflare

    Sources:
    https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
    https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
    https://www.reddit.com/r/sysadmin/comments/5vu3yn/cloudbleed_seceurity_bug_cloudflare_reverse/


    Should people change passwords from your site and ours that has been made by forumotion?


    Last edited by Jakovec12 on February 24th 2017, 8:46 pm; edited 1 time in total
    • Back to top
    Dr Jay
    Dr Jay
    Dr Jay
    Forumember


    Male Posts : 92
    Reputation : 7
    Language : English
    Location : USA(UTC-5)
    • Post n°2

    Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by Dr Jay February 24th 2017, 4:50 pm

    Password change is not necessary due to the nature of this kind of problem. This is more of a communications vulnerability rather than a vulnerability of accounts being hacked.

    The largest of problems, especially for Forumotion, might by automatic HTTPS rewrites; however, the table at the bottom of the Cloudflare blog you linked to shows that this entire vulnerability has been solved:

    Cloudflare wrote:2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information
    2017-02-18 0032 Cloudflare receives details of bug from Google
    2017-02-18 0040 Cross functional team assembles in San Francisco
    2017-02-18 0119 Email Obfuscation disabled worldwide
    2017-02-18 0122 London team joins
    2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide
    2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide

    2017-02-20 2159 SAFE_CHAR fix deployed globally

    2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide
    • Back to top
    Chapo
    Chapo
    Chapo
    Technician
    Technician


    Posts : 37
    Reputation : 14
    Language : PHP ;)
    • Post n°3

    Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by Chapo February 24th 2017, 5:34 pm

    Hello,

    don't worry about this Cloudflare vulnerability: we use Cloudflare as a NS on some creation site (and only that) and the vulnerability affects Cloudflare proxy service (therefore not used by us).
    • Back to top
    Dr Jay
    Dr Jay
    Dr Jay
    Forumember


    Male Posts : 92
    Reputation : 7
    Language : English
    Location : USA(UTC-5)
    • Post n°4

    Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by Dr Jay February 24th 2017, 5:36 pm

    Thanks for letting us know @Chapo and for verifying nothing to worry about. Smile
    • Back to top
    Jakovec12
    Jakovec12
    Jakovec12
    New Member


    Posts : 13
    Reputation : 1
    Language : Croatia
    • Post n°5

    Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by Jakovec12 February 24th 2017, 8:46 pm

    Thanks for the info. Smile
    • Back to top
    SLGray
    SLGray
    SLGray
    Administrator
    Administrator


    Male Posts : 51499
    Reputation : 3523
    Language : English
    Location : United States
    • Post n°6

    Solved Re: List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

    Post by SLGray February 24th 2017, 9:49 pm

    Problem solved & topic archived.
    Please read our forum rules:  ESF General Rules



    List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak) Slgray10

    When your topic has been solved, ensure you mark the topic solved.
    Never post your email in public.
    • Back to top

      Current date/time is September 23rd 2024, 9:19 am