Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Episerver Menu in top-right corner is shown on pages served by CDN cache (Cloudflare)


We've enabled CDN cache (Cloudflare) on several pages and noticed, on the rare occassion, the Episerver Menu is visible in top-right corner when the page is served by CDN cache.

How to replicate:
  1. Sign as a user with access to the CMS
  2. Clear the CDN cache
  3. Visit a page that is served by CDN cache so the page is added to CDN cache
  4. In incognito mode, visit the same page from Step 3
  5. Notice the Episerver menu is visible on the top-right corner. On a positive note, the links do not allow the user access to the CMS because Cloudflare deletes all cookies.

I suggest Episerver update their menu so it's only visible when the forms login cookie is present. In the meantime, we'll use the Bypass Cache on Cookie setting in our Cloudflare page rules.

Oct 22, 2020 10:25

Hi Matt

It sounds like you enabled the "Cache Everyting" option in Cloudflare and the first visitor to some of the pages were logged-in users. Then Cloudflare caches the page as rendered with the Episerver Quick Navigator Menu shown.

This issue has nothing to do with Episerver. Since you instruct Cloudflare to only send the request to Episerver once in a while, Episerver would not know when to display the menu or not.

As I see it, you can either:

  • remove the Quick Navigator Menu from the general layout template, or
  • add the "presence" of the authentication cookie to the custom cache key format (see the cache key documentation)
Oct 22, 2020 13:23
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.