Comment by kogir

8 years ago

I'm not 100% clear: Only three features were affected, and only sites with one or more of those features enabled leaked data into their pages.

But was the leaked data similarly limited to only the sites with the features enabled? Or could it have come from any request - even an entirely unrelated site?

4 comments

kogir

Reply
no_protocol  8 years ago

It appears that it could be from any site that passed through that server, not just those with these features enabled.

That's just how I read it.

toyg  8 years ago

> only sites with one or more of those features enabled leaked data

No. From what he says, enabling that feature on a CF proxy basically triggered the bug on any site that happened to go through that proxy, regardless of whether it used the feature or not.

  • richardwhiuk  8 years ago

    It only triggered the bug on sites that were using those features, but any other CF site was vulnerable to getting dumped out.

    • toyg  8 years ago

      yeah that's what i meant - content could be dumped from any site going through, regardless of whether they used the broken features.