Cloudflare Drupal

Posted onby admin

Exploitation attempts of a highly critical vulnerability discovered in the Drupal content management software (CMS) on February 20 were blocked by Cloudflare using Web Application Firewall (WAF) rules designed to protect its customers' websites from being compromised.

Cloudflare Waf Drupal

Assume you have a drupal website and using cloudflare. You are having an Amazon affiliate drupal content type, and you are collecting ASIN code of two countries: India; USA; Now you want to display only one link of amazon which will redirect to country specific website. Either or Lets see how you can do it in Drupal. Drupal discovered a severe vulnerability and said they would release a patch. When the patch was released we analysed and created rules to mitigate these. By analysing the patch we created WAF rules to protect Cloudflare customers running Drupal.

Cloudflare Drupal

According to Drupal project team's security advisory, the websites impacted by the vulnerability tracked as CVE-2019-6340 are those that have the Drupal 8 core RESTful Web Services (rest) module turned on, and also allow PATCH or POST requests.


If you have a CloudFlare Enterprise subscription, it would be much more efficient to use Cache Tags along with the Cloudflare module for Drupal 8. Free or Pro users could also use the Cloudflare module to purge content by URL. Since most readers of this post use the free, this post is geared towards a very simple implementation for that audience. Global Support, with network routes across the entire Cloudflare network, including China Security included Using a lightweight agent installed on the origin infrastructure (including container or virtual machine), Cloudflare Argo Tunnel creates an encrypted tunnel between the nearest Cloudflare data center and the web server’s origin without.

To avoid having to ask each of their customers to update their installations after a patched version was released by Drupal on the same day, Cloudflare 'identified the type of vulnerability' within 15 minutes, and they 'were able to deploy rules to block the exploit well before any real attacks were seen.'

First attack observed 48 hours after vulnerability disclosure

After analyzing Drupal's patch in depth, the company's security team discovered that a potential exploit would be based on deserialization which can be abused with the help of a maliciously crafted serialized Object.

The worst part was that potential attackers could exploit CVE-2019-6340 without any authentication requirements, allowing for all the data on the system to be modified or deleted.

Following multiple tweaks, Cloudflare eventually deployed a WAF rule they named D0020 which was very effective in automatically blocking attackers trying to exploit the highly critical vulnerability present in unpatched Drupal installations.

Cloudflare says that 'The rule was already deployed in ‘drop’ mode by the time our first attack was observed at around 7pm UTC on Friday the 22nd of February 2019, and to date it has matched zero false positives. This is less than 48 hours from the announcement from Drupal.'

While at first, the threat actors were only probing for vulnerable Drupal installations by remotely invoking commands like phpinfo and executing test payloads, the attacks soon picked up trying to drop backdoor payloads designed to help crooks to maintain their access even if the server would've been patched later on.

'The pattern we saw here is fairly typical of a newly announced vulnerability. [..] This vulnerability was weaponized within two days of disclosure, but that is by no means the shortest time frame we’ve seen,' concludes Cloudflare.

Related Articles: