Cloudflare memory leak, recommended password resets

[Nimboso]

Due to a bug with cloudflare, malformed html tags on some websites were causing cloudflares responses to contain large chunks of initialised memory. Due to the way cloudflare shares servers between hundreds of websites any malformed response on any cloudflare website could contain raw request/response data (passwords, PMs, etc,). For that reason I think you hits should force a password reset.

The above was fairly simplified. A more detailed writeup is available at https://bugs.chromium.org/p/project-...detail?id=1139


Edit: would also recommended resetting 2fa, since since the secret key would also be leaked, and could be cached anywhere that got the memory dump.
@Dave84311 @arunforce @Liz

[[MPGH]arunforce]

Got the notice. Dave will have to see if MPGH is likely affected. However it's a large jump from a parsing HTML exploit to a hashed password / db access.

[Nimboso]

Got the notice. Dave will have to see if MPGH is likely affected. However it's a large jump from a parsing HTML exploit to a hashed password / db access.

Not saying there is full dB access or anything, but when users log in or change their password it's sent in a POST request for the server to salt+hash, if the initial change request, or a 2fa request got caught in a cache somewhere (with the large userbase its fairly likely), some users passwords/2fa keys could be leaked.

Not at home to check, but if I remember correctly when logging in via vbulletin your browser sends a hashed password, so normal logon requests would require an attacker to crack the passwords md5, but the change request is sent plaintext over https (which is where the leak would affect users)

[javalover]

Code:

wget -O possible_vulndom.zip 'https://******.com/pirate/sites-using-cloudflare/archive/master.zip'
unzip possible_vulndom.zip
grep -x mpgh.net possible_vulndom/sorted_unique_cf.txt

mpgh is on list of possibly vulnerable domains. The CloudBleed reminds me the HeartBeed vulnerability.