Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Security Blog

December 28th, 2012, 12:44 GMT · By

BLOG

Configuration Flaw in W3 Total Cache Could Expose Tens of Thousands of Sites

SHARE:

Adjust text size:


Vulnerability found in W3 Total Cache Enlarge picture - Vulnerability found in W3 Total Cache
The popular WordPress performance plugin W3 Total Cache – which is currently used by tens of thousands of websites from all over the world – has been found to expose sensitive information if it’s not configured correctly.

The researcher who has identified this issue, Jason Donenfeld, explains that users frequently deploy the plugin incorrectly. By installing it from the “add plugin” section, two attack vectors automatically appear.

“Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes,” Donenfeld wrote on Full Disclosure.

The expert found that a simple Google search exposes a lot of websites.

Furthermore, he says that even with the directory listings turned off, cache files are publicly downloadable by default and the file names of the database cache items are easily predictable.

To demonstrate his findings, the researcher published a proof-of-concept software. As a solution to this problem, the expert advises users to tweak their .htaccess file to deny access to database cache files.

Shortly after making his findings public, Donenfeld had a chat with the author of W3 Total Cache who promised to release a fix for the issue.

TELL US WHAT YOU THINK:

1,416 hits · 1 comment · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Flaw in Facebook Allowed Attackers to Record Video of User and Post It on the Timeline – Video
Researcher Finds XSS Vulnerabilities in cPanel & WHM 11.34 – Video
Flaw in Facebook Camera for iOS Allowed Hackers to Hijack Accounts
Records of 300,000 Verizon Customers Leaked, Firm Says Breach Affected Third Party
Cyberattacks in 2013: Nation States Expected to Turn to the Private Market

READER COMMENTS:


Comment #1 by: Frederick Townes on 29 Dec 2012, 08:07 UTC reply to this comment

For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.

The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability’s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I’m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.

The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.

For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.

If you’re reading this and have seen a post about the issue that does not have this response on it, please do post this for me. Thanks in advance. Happy Holidays.

Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use