• Royal Pavilion

  • Community

  • South Downs

  • LIttlehampton Pier

  • Eastbourne

  • White Horse Wilmington

  • Sussex-Coast

Copyright 2017 - Custom text here
Wednesday, 01 March 2017 11:59

Cloudflare Data Leak and Joomla! Featured

Written by
Rate this item
(0 votes)

Recently it has been revealed that over the past 5 months Cloudflare, a popular CDN provider, has had a data leak allowing potentially sensitive data to become accessible to other users, and more importantly search engines.

Cloudflare has worked to resolve the issue on their systems, and the large search engines have been working hard over the last few days to try and remove this data from their caches; however, there is a chance that some data that was stored on some Joomla! sites that also use Cloudflare services may have been compromised.

Although this is not related to a specific Joomla! security issue, we would like to explain to Joomla! users exactly what you can do to help secure your site if you use Cloudflare and might be affected by this attack.


Who is affected by this?

This issue is NOT directly related to or caused by Joomla! so it does NOT affect all Joomla! websites.1

The ONLY Joomla! sites that are affected by this issue are ones that use Cloudflare services (free or paid). If you know that you do not use Cloudflare services you can safely ignore this notice as this ONLY affects those sites where Cloudflare is used.

Cloudflare is offered by many web server/hosting companies via cPanel as a free Content Delivery Network (CDN), as well as those hosting companies using other, non-cPanel management. If you are not sure if your site is using Cloudflare we encourage you to contact your hosting company to determine if Cloudflare is in use on your Joomla! site.

If you do not use Cloudflare, following the steps here will NOT aid in the safety of your site in any way. It only applies to those who have used Cloudflare with a Joomla! site.


How it works

Cloudflare is used in between your website server and the people who visit your site and provides two main functions - it protects websites by routing inbound web visitor traffic through Cloudflare’s own network, filtering out hack attacks in the process. It also offers a CDN and load balancing to help your website load faster.


What Happened

In the last 5 months (specifically between September 22nd, 2016 and February 18th, 2017), there was a bug in the Cloudflare software, which could potentially cause unencrypted private data, along with other 'junk' text, to be included along the bottom of the webpage.

What basically happened was that data for one site being ‘processed’ by Cloudflare may have been sent to a visitor viewing a completely different site that was also being ‘processed’ by Cloudflare. Additionally, that process was found to have been indexed by search engines. This happened to up to an estimated 3,438 affected websites.

The worst data leakage occurred between the dates of February 13th and February 18th when one in every 3.3 million requests to Cloudflare’s servers was leaked.

If you want to read a technical write up on the incident we recommend reading the official Cloudflare breakdown at: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/


Am I likely to be affected?

Although Cloudflare has indicated that the percentage of its clients that were affected is relatively small (compared to their total number of clients), there is some potential that ANY website using Cloudflare could be affected. If your site uses Cloudflare we recommend that you assume that your site was affected and take proper steps to mitigate the issue.


Is it serious?

We’ll leave this in the words of the Google researcher who found this vulnerability.

The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on.

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Although it is highly unlikely that there was enough data leaked to be recoverable and usable it is possible that some is, so we recommend taking extra caution and taking actions for the worst.


What to do if you use Cloudflare with Joomla!

Before you begin any changes with your Joomla! site you should first make a full backup of your site and store it in a safe place.

Step 1 - Invalidate Users Sessions / Reset Site Secret Key

In order to help secure your site, you should invalidate all session ID's and cookies.

In order to do this the Joomla! Security Strike Team (JSST) is suggesting that all Cloudflare Joomla! Users change your sites secret key in the configuration.php file.

PLEASE NOTE: This will have the following additional effects which WILL impact your users:

  • Your Joomla! cache entries will be invalidated
  • Any pending password reset emails will be invalidated
  • Any pending user activation emails will be invalidated.

If you are concerned about the email links being invalid, you can check for users who have pending activation status or a password reset requested in the Joomla! User component.

How do I reset my site secret key?

This is a manual process which requires the ability to edit a file on your Joomla! site (called configuration.php).

  1. Use an FTP program, cPanel (or other means) to access files on your server
  2. Go to the main root of your Joomla! site on the server
  3. Edit the file configuration.php (you may need to change the permissions of this file first to allow editing)
    • Locate the line that begins:
      public $secret =
    • Change the text that appears in the single quotes with a string of random characters of equal length (be sure to keep this within the single quotes)
  4. Save the file back to your web server.

That resolves the main security issue; however, we encourage you to also complete steps 2 and 3 below.

Step 2 - Reset Passwords

It’s unlikely that there have been any password leaks, however it’s safer to assume the worst. We recommend that you advise your site users to reset their passwords and require administrators to reset their passwords to ensure full data security.

Step 3 - Report this data breach

Cloudflare is considering this a “data leak”; however, depending on the terms of your organisation or website this might be considered a “data breach”. Although no private, user, personally-identifiable information was stolen, private data related to your site users may have been leaked to public systems. This data may or may not have the ability to lead to any nefarious actions (i.e the data may not be complete or recognisable, but has the potential to be).
If you have PCI, HIPAA or other data breach reporting requirements you should consider getting advice to determine if you need to report this incident.

Read 66 times
More in this category: Joomla! 3.7.0 Release Candidate 1 »
Login to post comments
  • To Enable users in Brighton and Hove and other Sussex areas to meet face to face. To expand Joomla!®. use and knowledge within the Sussex area. We are also on  LinkedIn & Facebook

f t g m

disclaimer

Joomla! User Groups™ are officially recognized and licensed by, but not organized or operated by, Open Source Matters, Inc. (OSM) on behalf of The Joomla! Project™. Each Joomla! User Group, along with their events, are independently managed by a local community. Use of the Joomla!® name, symbol, logo and related trademarks is licensed by Open Source Matters, Inc.

Legals

The Joomla!® name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
joomlasussex.uk is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project