Why should Cloudflare (be able to) block any request containing “boot.ini”?
At the moment, you can test it right here, type it into the search box at the bottom. The string can be in GET, or in POST'ed text, anywhere. You don't even need an extension or developer tool to find out which sites use Cloudflare filtering, as you can simply append "boot.ini" to your User-Agent, and enjoy the results.
I assume that it's a common test file for path traversal exploits and checking whether server process has administrator rights, and that blacklist happened to be applied inordinately, but other questions inevitably arise. What else is in the blacklist? Who controls it, and who can potentially control it? How long would it take for this bug to turn into a feature, and allow blocking "freedom", "election", "warhead", or "Assange" on a scale that is already bigger than that of Great Chinese Firewall? Also, how can one use similar innocuous user-provided plain texts to cut back-end web APIs that happen to run through Cloudflare?
Finally, has something changed recently about putting all the eggs in one basket, and expecting a free lunch?
2 comments
[ 3.2 ms ] story [ 12.6 ms ] threadThe firewall logs show you exactly what rule triggers this behavior: ===== Ruleset ID: 48ba18287c544bd7bdbe842a294f1ae2 Ruleset Name: Bot Fight Mode for Definite Bots Rule ID: 874a3e315c344b1281ad4f00046aab6f =====
Users are generally free to disable rulees, the WAF, etc.