NEWS
NEWS
NEWS
Insecure Wordpress Cache Plugin Renders Sensitive Data Vulnerable
WordPress users beware! Researcher Jason A. Donenfeld discovered a vulnerability in a popular WordPress plugin, W3 Total Cache, which is described as a “performance framework” that speeds up sites, speeds up page load, downloads and other important tasks in a website.
Donenfeld stated that he discovered the vulnerability while helping his brother stationed at Amundsen-Scott South Pole Station in Antarctica to troubleshoot his personal blog.
“They only get a satellite passing overhead a couple times a day, so he needed some help with performance. I was poking around and found this directory issue,” he told Security Ledger in a phone conversation.
He stated that by simply installing W3 Total Cache could potentially leave sensitive information exposed and ready for the picking. The plugin enables a cache directory listing feature on the cache directory, which stores cached content, which means “anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes,” Donenfeld wrote.
This is Donenfeld’s findings of the vulnerability:
“When I set it up by going to the WordPress panel and choosing “add plugin” and
selecting the plugin from the WordPress Plugin Catalog (or whatever),
it left two avenues of attack open:
“1) Directory listings were enabled on the cache directory, which means
anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password
hashes. A simple google search of
“inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic
reveals this wasn’t just an issue for me. As W3 Total Cache already
futzes with the .htaccess file, I see no reason for it not to add
“Options -Indexes” to it upon installation. I haven’t read any W3
documentation, so it’s possible this is a known and documented
misconfiguration, but maybe not.
“2) Even with directory listings off, cache files are by default
publicly downloadable, and the key values / file names of the database
cache items are easily predictable. Again, it seems odd that “deny
from all” isn’t added to the .htaccess file. Maybe it’s documented
somewhere that you should secure your directories, or maybe it isn’t;
I’m not sure.”
But Donenfeld stated that it is more of a configuration error rather than a vulnerability and suggests W3 Total Cache users to disable the “database cache” and “object cache” options, and flush any existing caches created with W3 Total Cache to take care of the situation for the mean time or until W3 Edge officially addresses the issue at hand.
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
