Spurious Directories Created

Resolved Chris Hawes
(@horsewhip)

2 years, 3 months ago
On using the plugin, I see a lot of directories being created under:
[WORDPRESS_INSTALL_DIR]/wp-content/wp-cloudflare-super-page-cache

These all seem to have a directory name based on various hosts, such as:
- xcnklpp.dynu.com
- xtiadvm.dynu.com
- ws.bitmex.com
- wonder.crime.reduce.central.death.panel.lindoe-access.hair
It seems there’s some issue with the plugin that causes these to be created, perhaps someone has found a way to access wp-content/plugins/wp-cloudflare-page-cache/assets/advanced-cache.php with ABSPATH being set (using another WordPress URL), spooking the host header and then creating these directories.

Viewing 9 replies - 1 through 9 (of 9 total)

Thread Starter Chris Hawes
(@horsewhip)

2 years, 3 months ago

On a bit more investigation, I can see that the following action creates a folder under [WORDPRESS_INSTALL_DIR]/wp-content/wp-cloudflare-super-page-cache.

curl -H "Host: wp.cache.test.com" 'http://WEBSITE_IP'

I’d suggest validating the HOST header on incoming requests against known allowed hosts. Otherwise, this could create many directories/files, making the server run out of disk space/inodes.

I’d be happy to change this, but I can’t see a public repo for this plugin. 🙁

Plugin Contributor iSaumya
(@isaumya)

2 years, 3 months ago

Hi,
The holder is only created for the site where it is hosted. So, if the plugin is setup on www.example.com then you would see a folder named www.example.com

I am not sure how your website works and how it has been setup but that folder named is tied to the site where the plugin is installed.

Thread Starter Chris Hawes
(@horsewhip)

2 years, 3 months ago

Hi there, if you follow my steps, you’ll see arbitrary directories being created because the host header isn’t validated.

Plugin Contributor iSaumya
(@isaumya)

2 years, 3 months ago

Hi,
I have tried it on 5 sites and am unable to replicate it anywhere. Moreover, the goal behind having your website behind Cloudflare is that your main server IP is unknown to the world and everything is proxied via Cloudflare.

Thread Starter Chris Hawes
(@horsewhip)

2 years, 3 months ago

Relying on Cloudflare to hide your IP is security through obscurity.

I can recreate this issue on a stock Bitnami WordPress instance with this plugin, I’ll request a CVE number and log this as a security issue as I’m able to recreate reliably and this could cause a denial of service.
Plugin Contributor iSaumya
(@isaumya)

2 years, 3 months ago
I really tried to replicate the issue sending the curl command but I don’t se the folder getting created. If you wish to report security vulnerability which I’m more than happy to patch. Please provide clear step to reproduce it.

Everytime I hit the server IP I see a default server page like nginx default page or something like that.
- This reply was modified 2 years, 3 months ago by iSaumya.
Thread Starter Chris Hawes
(@horsewhip)

2 years, 3 months ago

I think I see the issue. Are you trying to replicate it on shared hosting? My steps to recreate require a dedicated host (virtual will do it too).

I’ll create a simply Docker image to recreate, what’s the best way to share it with you?

Plugin Contributor iSaumya
(@isaumya)

2 years, 3 months ago

Hi,
I have tried to replicate it on shared as well as VPS hosting (running nginx with cenminmod) and still unable to replicate the issue.

On shared, accessing the IP gives me the cPanel page and on VPS accessing the IP gives me the default Nginx page.

Thread Starter Chris Hawes
(@horsewhip)

2 years, 3 months ago

You’d need to configure WordPress to be the default host, rather than a named virtual host (or create another virtual host on the IP).

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Spurious Directories Created’ is closed to new replies.