upvote

points

by 0xbadcafebee3 days ago |
comments
upvoteby apetresc3 days ago|
next
[-]
It sure looks like the author did his due diligence; he has a chart of all the different phrases in the payload which triggered the 403 and they all corresponded to paths to common UNIX system configuration files.

Nobody could prove that's exactly what's happening without seeing Cloudflare's internal WAF rules, but can you think of any other reasonable explanation? The endpoint is rejecting a PUT who's payload contains exactly /etc/hosts, /etc/passwd, or /etc/ssh/sshd_config, but NOT /etc/password, /etc/ssh, or /etc/h0sts. What else could it be?

reply
upvoteby simonw3 days ago|
parent|
[-]
Yeah, the author clearly put the work in to demonstrate what's happening here.
reply
upvoteby ryandrake3 days ago|
prev|
next
[-]
If you change a single string in the HTTP payload and it works, what other explanation makes sense besides a text scanner somewhere along the path to deploying the content?
reply
upvoteby Null-Set3 days ago|
prev|
next
[-]
See https://developers.cloudflare.com/waf/change-log/2025-04-22/ rule 100741.

It references this CVE https://github.com/tuo4n8/CVE-2023-22047 which allows the reading of system files. The example given shows them reading /etc/passwd

reply
upvoteby SonOfLilit2 days ago|
prev|
[-]
You're being downvoted because WAFs work exactly like this, and it's intentional and their vendors think this is a good thing. A WAF vendor would say that a WAF parsing JSON makes it weaker.
reply
upvoteby immibis2 days ago|
parent|
[-]
They're being downvoted because they're saying the author is incorrect when the author is actually correct.
reply
upvoteby 0xbadcafebee2 days ago|
parent|
[-]
It's frightening that so many people are convinced the author is correct, when the author never proved they were correct.

The author just collected a bunch of correlations and then decided what the cause was. I've been doing this kind of work for many, many years. Just because it looks like it's caused by one thing, doesn't mean it is.

Correlation is not causation. That's not just a pithy quip, there's a reason why it's important to actually find causation.

reply
upvoteby SonOfLilit2 days ago|
parent|
next
[-]
Having had three opportunities in my life to diagnose this exact problem and then successfully resolve it by turning off the WAF rule (see my top level comment) - I don't know you or your work history, but trust me, the author is much closer to the truth here than you are.

edit: Also, someone commented here "it was an irrelevant cf WAF rule, we disabled it". Assuming honesty, seems to confirm that the author was indeed right.

reply
upvoteby immibis2 days ago|
parent|
prev|
[-]
It's more like I saw a big ball fall down and make a hole in the floor and concluded it must be heavy.
reply