Hole in W3 Total Cache WordPress plugin exposes site database info

By on December 27, 2012, 6:00 PM

Security researcher Jason A. Donenfeld has revealed a security hole in a popular WordPress plugin that could be used to obtain sensitive data from an affected site. The flaw was discovered in W3 Total Cache, which has been downloaded over a million times and is used by high traffic sites including Mashable and LockerGnome.

The plugin is designed to speed up sites that use the WordPress content management system by up to 10 times through "caching every aspect" of the site. According to Donenfeld, when the plugin is installed with a default setup (i.e. users just simply choose "add plugin"), the add-on leaves the cache directory listings enabled.

With that enabled, Donenfeld says anyone could easily download all of the database cache keys and extract those containing sensitive data. Even if that weren't the case, he notes that the cache data is still publicly accessible by default so an attacker could view and download database information such as password hashes (simply search Google for "inurl:wp-content/w3tc" and you'll see the directory he's talking about).

Donenfeld has published a simple shell script that can identify and exploit the vulnerability. He stressed that the holes are caused by a configuration that shouldn't be present in the default software, and the developer of W3 Total Cache is expected to release a fix soon, though we haven't seen an estimated release date. For now, sites using the plugin should disable their database cache or create a .htaccess file in wp-content/w3tc.




User Comments: 1

Got something to say? Post a comment
1 person liked this | w3edge w3edge said:

For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.

The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC?s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability?s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I?m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.

The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I?ve also made sure that a web server?s lack of security around directory listings and the standard file structure of W3TC?s hashing logic are no longer of consequence for those attempting to download them from your server.

For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the ?wp-content/w3tc/dbcache/? directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.

If you?re reading this and have seen a post about the issue that does not have this response on it, please do post this for me. Thanks in advance. Happy Holidays.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.