jwineman
Forum Replies Created
-
Forum: Plugins
In reply to: [Cloudflare] v3 is inherently insecureMy point is this – if someone hacks your blog then they don’t need your CloudFlare API key, they already have access to your entire site and can do whatever they want.
No matter what authentication scheme you use you still have to store a secret (API Key, Oauth Token) some where. There is no way to store that secret in a way that isn’t accessible to an attacker who is able to gain root access to your blog.
Scoped keys don’t fix the vulnerability described above, they just limit the damage. In either case if an attacker hacks your blog they get access to a key that lets them manipulate your domain and in each case the solution is to revoke that key. I say this to point out that OAuth 2.0 is “vulnerable” to the scenario outlined above as well, just to a lesser degree.
Its important to distinguish between “insecure” (read: vulnerable) and security best practices. In this case the plugin is secure, but could be made more secure by using API keys with more specific scope.
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Error Log on 3.0Hey,
We’re releasing a patch for the WAF bug on Wednesday or Thursday of this week.
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Active Zone dropdown not workingHi,
We plan on fixing this in the next update. We get the current domain with
$_SERVERbut will get it with get_site_url() soon.Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Após atulizar para versão 3.0.2 https so aparece no wp-adminIf you disable https does it work? I think you’re seeing mixed content warnings.
Se você desativar https é que funciona?
Forum: Plugins
In reply to: [Cloudflare] Can’t Configure Settings in 3.0.2Hi @ybzybz,
Your error is because you’re trying to load the blog over https but the page includes elements which are loaded over http. You need to modify your code (themes etc) to load everything over // instead of http:// or https://. // will try to load the resource over the same protocol the browser loads the page with.
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Invalid CSRF Token on 3.0.1Can you try adding:
$isCSRFTokenValid = false;
above line 57 on proxy.php so it looks like this://before if ($request->getMethod() === 'GET') { $isCSRFTokenValid = true; } //after $isCSRFTokenValid = false; if ($request->getMethod() === 'GET') { $isCSRFTokenValid = true; }Forum: Plugins
In reply to: [Cloudflare] Can’t Configure Settings in 3.0.2Are there any errors in the browser console?
Are there any errors in the PHP error log?Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Website broken with 3.0Forum: Plugins
In reply to: [Cloudflare] Not able to get past email and API keyDo you get an error when trying to save your email/API key or does something else happen?
Forum: Plugins
In reply to: [Cloudflare] Após atulizar para versão 3.0.2 https so aparece no wp-adminAre you getting mixed content warnings? Are you talking about the fact that protocol rewrite was removed in 3.x?
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Invalid CSRF Token on 3.0.1Hey,
I need to see the request:
In “Request Payload” you should check to see if one of the variables being set is
cfCSRFToken.Thanks,
John- This reply was modified 9 years, 8 months ago by jwineman.
Forum: Plugins
In reply to: [Cloudflare] Removed HTTPS Protocol RewritingHi,
We removed protocol rewrite from version 3.x of the WordPress plugin because there were a bunch of edge cases it didn’t handle that was resulting in a lot of support tickets. We’re in the process of redesigning it and will readd it to the plugin soon.
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] Website broken with 3.0Forum: Reviews
In reply to: [Cloudflare] Update 3.1.1 working for myAre there any errors in the browser console when you load the page?
Thanks,
JohnForum: Plugins
In reply to: [Cloudflare] v3 is inherently insecureHi @turn-on-social,
While I agree that OAuth 2.0 would be more secure than our current approach I disagree that the plugin is vulnerable. The threat scenario you describe depends on the blog itself being compromised, the security of which is completely separate from that of our plugin.
If you have a proof of concept for vulnerability in our WordPress plugin we would love if you reported it here:
https://hackerone.com/cloudflareThanks,
John