Cloudflare Security: Addressing Image Resizing Misconfiguration & Risk

Identifying Vulnerabilities and Implementing Robust Security Measures for Cloudflare's Image Resizing Function

Introduction:

During a recent penetration test for one of my clients, I discovered a significant vulnerability related to Cloudflare’s image resize function. This feature, designed to optimize image delivery, can be exploited to include harmful or inappropriate pictures on a website. In this blog, I will share the detailed story of my findings, demonstrate the proof of concept (POC), and provide recommendations to mitigate this risk.

Cloudflare and CDN-CGI:

Cloudflare is a leading web infrastructure and website security company that provides a range of services to enhance the performance, security, and reliability of websites and applications. One such feature is the cdn-cgi endpoint, which includes functions for image resizing to optimize image delivery. This endpoint allows users to manipulate images through URLs, enabling resizing, cropping, and other modifications to enhance performance and user experience.

Discovery and Initial Testing:

While performing a penetration test for a client, I noticed their website was loading images using the following URL format:

https://website.com/cdn-cgi/image/width=100/https://external-website.com/bucket/image.png

To automate you can use nuclei templates:

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/cloudflare-image-ssrf.yaml

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/miscellaneous/cloudflare-rocketloader-htmli.yaml

First Thought: SSRF

The first thought that came to my mind was Server-Side Request Forgery (SSRF). I attempted to exploit this by inserting a URL that would trigger a DNS and HTTP callback. I aimed to see if I could get a response from the web server.

To my surprise, I did get DNS and HTTP callbacks. However, the IP address I received was that of Cloudflare, not the actual web server behind it. This indicated that the requests were being handled by Cloudflare’s infrastructure, mitigating the potential impact of SSRF in this context.

Second Thought: RFI

Next, I considered the possibility of Remote File Inclusion (RFI). I quickly spun up a Python server and attempted to include various types of files such as HTML, TXT, JSP, and PHP. Instead of being included, these files were downloaded, and I received the following error:

ERROR 9412: Could not resize the image: Unknown or unsupported file type

Successful Exploit: External Image Inclusion

Realizing that non-image files were not being processed, I decided to test with an actual image. I modified the URL to point to an external image. To my satisfaction, the image was successfully rendered on the client’s webpage.

Client Impact and Response:

Understanding the potential impact, I communicated the issue to my client. I emphasized;

“If this issue is not addressed, malicious actors could potentially include harmful or inappropriate images on your web application, posing a significant risk to your business reputation.”

Recognizing the severity of the risk, the client promptly contacted Cloudflare support. It turned out that the image resizing feature was enabled by default, even though it wasn’t in use. Cloudflare support assisted in turning off the image resizing function, effectively mitigating the vulnerability.

Recommendations for Mitigating the Risk:

To prevent similar issues, I recommend the following strategies:

1. Domain Whitelisting:

   • Only allow images from trusted, whitelisted domains to be processed by the image resize function. (https://developers.cloudflare.com/images/manage-images/serve-images/serve-from-custom-domains/)

2. Content Filtering:

   • Implement content filtering to detect and block inappropriate or harmful images.

Conclusion:

Cloudflare’s image resize function is a powerful tool, but it must be secured to prevent misuse. By implementing the recommended strategies, you can mitigate the risks associated with loading external images and protect your business from potential harm. Always stay vigilant and proactive in securing your web applications.

Call to Action:

If you are using Cloudflare’s image resize function, review your current setup and implement these recommendations to enhance security. For more insights and detailed guides on web security, stay tuned to my blog.