CloudFlare WAF Rules Allowing Exploits Cause Great Risk
This morning we have published some research we just completed. We noticed attacks that were getting past Cloudflare and being blocked by Wordfence. So we took a closer look.
What we discovered is that three of the most well known and dangerous WordPress attacks completely bypass Cloudflare’s Pro WAF (their firewall) undetected, even when the firewall is set to ‘High’ sensitivity with all rules enabled. These are the Revslider exploit, the Mailpoet exploit and the Gravity Forms exploit.
We also discovered that even Timthumb bypasses Cloudflare on this ‘High’ sensitivity setting, although the attack is logged.
In the post, we provide full details including an 18 minute video demonstration showing how an attacker can exploit their way through the Cloudflare Pro WAF using these attacks. We also provide packet captures and code samples.
The free version of Wordfence blocks these attacks and we include this in the video demonstration, showing that the attacks are arriving via Cloudflare and show the effect with Wordfence and without it.
Basically, The CloudFlare WAF (Web Application Firewall) cannot determine the nature of all potential attacks. It has some troubles determining specific attacks as actual attacks.
This is in part do to the nature of how the web works. Traffic comes from one place to another and the cloud server does not have a way to know what level of authentication the user has at the end location.
WordFence has a great post about it here: Endpoint vs Cloud Security: The Cloud WAF User Identity Problem
Wordfence is an end-point security application. It is the guard at your door. Where as CloudFlare is more like the policeman across town. The CloudFlare WAF rule-set can’t tell who really should be accessing your site. They can prevent some things but not others.
As WordFence is closer to the end location, like the security guard at the door, they have the final say in who should be doing what on your website.
If your using the CloudFlare Waf rules as your only Web accessible firewall, you may be at potential risk for some severely damaging attacks. Make sure you are using some form of WordPress pluign such as WordFence to be an endpoint security solution.