Why should Cloudflare (be able to) block any request containing “boot.ini”?

8 points by ogurechny ↗ HN
At the moment, you can test it right here, type it into the search box at the bottom. The string can be in GET, or in POST'ed text, anywhere. You don't even need an extension or developer tool to find out which sites use Cloudflare filtering, as you can simply append "boot.ini" to your User-Agent, and enjoy the results.

I assume that it's a common test file for path traversal exploits and checking whether server process has administrator rights, and that blacklist happened to be applied inordinately, but other questions inevitably arise. What else is in the blacklist? Who controls it, and who can potentially control it? How long would it take for this bug to turn into a feature, and allow blocking "freedom", "election", "warhead", or "Assange" on a scale that is already bigger than that of Great Chinese Firewall? Also, how can one use similar innocuous user-provided plain texts to cut back-end web APIs that happen to run through Cloudflare?

Finally, has something changed recently about putting all the eggs in one basket, and expecting a free lunch?

2 comments

[ 3.2 ms ] story [ 12.6 ms ] thread
That is odd to say the least. I share your concerns here and such mechanisms should be under a lot more scrutiny.
Cloudflare doesn't make any attempt to hide the fact it's serving requests; the "server" header says "cloudflare".

The firewall logs show you exactly what rule triggers this behavior: ===== Ruleset ID: 48ba18287c544bd7bdbe842a294f1ae2 Ruleset Name: Bot Fight Mode for Definite Bots Rule ID: 874a3e315c344b1281ad4f00046aab6f =====

Users are generally free to disable rulees, the WAF, etc.