Does solving the challenge because of Tor allow a log4j attack?

On my settings, Tor visitors are submitted to a captcha challenge, whatever the request.
Some of them solve the challenge.
Does this create a waf whitelist for them ?

If you click on the relevent Firewall event log, it should list the Action Taken to indicate if the request bypassed, solved or did not solve the challenge.

Action Taken = Managed Challenge means not solved as the FirewallMatchesActions at https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests lists the following options

  • unknown
  • allow
  • block
  • challenge
  • jschallenge
  • log
  • connectionClose
  • challengeSolved
  • challengeFailed
  • challengeBypassed
  • jschallengeSolved
  • jschallengeFailed
  • jschallengeBypassed
  • bypass
  • managedChallenge
  • managedChallengeSkipped
  • managedChallengeNonInteractiveSolved
  • managedChallengeInteractiveSolved
  • managedChallengeBypassed

So if that log4j scan request did solve a Managed Challenge, the Action Taken would be listed as either managedChallengeNonInteractiveSolved or managedChallengeInteractiveSolved instead of managedChallenge

I don’t have access to the logs, still not “enterprise”.
Maybe my example is not relevant / explicit.

My question is:

If I have a rule which requires a “Challenge” for Tor users for example,
can they bypass a “block” rule by solving the challenge ?

Look at this:

The Tor user hits the “Security level” / badscore rule which prompts the challenge.
But the “Path” hits CVE-2017-9841 , which should be blocked by PHP100012

Did the Tor user manage to try to exploit the CVE ?

image

The screenshot says Action Taken = Managed Challenge so that means the request didn’t pass the challenge from what I understand so the request would get 403 permission denied .

Ok according to https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-and-Challenge-Passage

The Challenge Passage does not apply to challenges issued by the Web Application Firewall (WAF)

And “Managed Challenge” does not mean “Solved Challenge”, so this looks safe.
Thank you for your help

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.