WordPress Plugin exploits that Bypass Cloudflare WAF

Revslider, MailPoet, GravityForms Exploits Bypass Cloudflare WAF

Credits to Mark of wordFence.com

Last week we blogged about the advantages of endpoint security over a cloud firewall solution.

We wrote about how cloud WAFs can be bypassed.

We also blogged about how it is more challenging for a cloud WAF provider to write complex firewall rules because cloud WAFs don’t know if a user is signed in or what their access level is.

Part of the forensic research we do at Wordfence involves analyzing attack data we receive from sites that use Wordfence.

We use a scaleable database cluster to perform big data analysis on WordPress attack data. We identified many attacks that were bypassing Cloudflare and being blocked by Wordfence. So we dug a little deeper.

Cloudflare Pro provides a web application firewall that is designed to perform a similar function to the Wordfence WAF. We are in that sense, direct competitors. We wanted to evaluate the Cloudflare WAF and to get access to it you have to get a paid ‘Pro’ account for $240 per year or $20/month. So we bought and paid for the Cloudflare WAF.

The default Cloudflare WAF sensitivity setting is ‘Medium’. We increased the sensitivity setting to ‘High’.  That is the highest sensitivity setting before your users have to get through a captcha to access your site.

We also enabled every rule we could find in the Cloudflare WAF. That includes 11 rules in the “Cloudflare ruleset” and 20 rules in the “OWASP ModSecurity Core Rule Set”. We also put that ruleset on “High” sensitivity. We also enabled the “browser integrity check”.

We enabled absolutely everything we could find and put everything on “High” sensitivity.

We then confirmed that we could bypass the Cloudflare Pro WAF with the following attacks using no special techniques:

  • Revolution Slider – We gained a remote shell. This went through completely undetected.
  • MailPoet – We gained a remote shell. Also completely undetected.
  • Gravity Forms – We gained a remote shell. Also completely undetected.
  • Timthumb – Gained a remote shell using the .phtml form of the attack. Detected but not blocked.

These results were surprising.


Read More here