Cloudflare: Security issue with your "bag" script

2014-04-24T15:05:22
ID H1:9560
Type hackerone
Reporter peterjaric
Modified 2014-05-07T14:11:01

Description

This is an old issue that has been fixed, but in since I reported it before you started your Bug Bounty program I was advised to report it here again.

These are the requests in your issue tracker: * http://support.cloudflare.com/tickets/44767 (original vulnerability report) * http://support.cloudflare.com/hc/requests/58556 (follow up) * http://support.cloudflare.com/hc/requests/107974 (request where I was advised to report here)

The original text of the vulnerability report:

Hi,

Some days ago I submitted a vulnerability report to a site that I think is one of your customers. I don't want to disclose their name at the moment as I am not sure they are OK with that. They might have been in contact with you already, since the problem seems to be with functionality you provide.

URL: 1) http://cloudflare.com/cdn-cgi/pe/bag?r[]=http%3A%2F%2Fgoogle.com 2) http://cloudflare.com/cdn-cgi/pe/bag?r[]=http%3A%2F%2Fyahoo.com

Description: When these URL is accessed, your server nicely gets the page in the r[] parameter and returns it in the response. Multiple instances of r[] in the same URL is also possible.

This could be exploited by someone who wants to access another URL, but anonymously (except for your logs of course), or to access pages "in your name", making you look bad.

It could also be exploited in another, more serious way. If you happen to have any internal web servers that are not visible to the internet (for example a bug tracker), they might be visible to the computer hosting cloudflare.com. Then this vuln could be used to fetch files from the internal servers (given that the attacker knows the URLs or brute forces them).

A search on Google for this type of URL shows that many sites has the same problem. I don't know if you can fix it in one place or if you have to roll it out to all these sites.

If you have any questions, please let me know.

Peter Jaric @peterjaric