New Magento WAF Rule – RCE Vulnerability Protection

Published on by Peter Dumanian.

Today the Magento Security Team created a new ModSecurity rule and added it to our WAF rules to mitigate an important RCE (remote code execution) vulnerability in the Magento web e-commerce platform. Any customer using the WAF needs to click the ON button next to the “CloudFlare Magento” Group in the WAF Settings to enable protection immediately. Both Magento version 1.9.1.0 CE and 1.14.…

Of Phishing Attacks and WordPress 0days

Published on by Marc Rogers.

Proxying around 5% of the Internet’s requests gives us an interesting vantage point from which to observe malicious behavior. However, it also makes us a target. Aside from the many and varied denial of service (DDoS) attacks that break against our defenses, we also see huge number of phishing campaigns. In this blog post I'll dissect a recent phishing attack that we detected and neutralized with the…

Contributing back to the security community

Published on by Ryan Lackey.

This Friday at the RSA Conference in San Francisco, along with Marc Rogers, Principal Security Researcher at CloudFlare, I'm speaking about a version of The Grugq's PORTAL, an open source network security device designed to make life easier and safer for anyone traveling, especially internationally, with phones, tablets, laptops, and other network-connected devices. Portal uses open-source software and services to take inexpensive, commodity travel routers and turn them…

Oceania Redundancy: Auckland and Melbourne data centers now online

Published on by Joshua Motta.

The genesis of our 33rd and 34th data centers in Auckland and Melbourne started a short hop away in nearby Sydney. Prior to these deployments traffic from all of New Zealand and Australia's collective 23 million Internet users was routed through CloudFlare's Sydney data center. Even for those in faraway Perth, the time necessary to reach our Sydney PoP was a mere 55ms of round trip time (RTT)…

Protection against critical Windows vulnerability (CVE-2015-1635)

Published on by Ben Cartwright-Cox.

A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets. We have rolled out a WAF rule that blocks these requests. Customers on a paid plan and who have the WAF enabled are automatically protected against this problem. It is…