UPDATED 14:26 EDT / DECEMBER 28 2012

NEWS

Insecure Wordpress Cache Plugin Renders Sensitive Data Vulnerable

WordPress users beware!  Researcher Jason A. Donenfeld discovered a vulnerability in a popular WordPress plugin, W3 Total Cache, which is described as a “performance framework” that speeds up sites, speeds up page load, downloads and other important tasks in a website.

Donenfeld stated that he discovered the vulnerability while helping his brother stationed at Amundsen-Scott South Pole Station in Antarctica to troubleshoot his personal blog.

“They only get a satellite passing overhead a couple times a day, so he needed some help with performance. I was poking around and found this directory issue,” he told Security Ledger in a phone conversation.

He stated that by simply installing W3 Total Cache could potentially leave sensitive information exposed and ready for the picking.  The plugin enables a cache directory listing feature on the cache directory, which stores cached content, which means “anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes,” Donenfeld wrote.

This is Donenfeld’s findings of the vulnerability:

“When I set it up by going to the WordPress panel and choosing “add plugin” and
selecting the plugin from the WordPress Plugin Catalog (or whatever),
it left two avenues of attack open:

“1) Directory listings were enabled on the cache directory, which means
anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password
hashes. A simple google search of
“inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic
reveals this wasn’t just an issue for me. As W3 Total Cache already
futzes with the .htaccess file, I see no reason for it not to add
“Options -Indexes” to it upon installation. I haven’t read any W3
documentation, so it’s possible this is a known and documented
misconfiguration, but maybe not.

“2) Even with directory listings off, cache files are by default
publicly downloadable, and the key values / file names of the database
cache items are easily predictable. Again, it seems odd that “deny
from all” isn’t added to the .htaccess file. Maybe it’s documented
somewhere that you should secure your directories, or maybe it isn’t;
I’m not sure.”

But Donenfeld stated that it is more of a configuration error rather than a vulnerability and suggests W3 Total Cache users to disable the “database cache” and “object cache” options, and flush any existing caches created with W3 Total Cache to take care of the situation for the mean time or until W3 Edge officially addresses the issue at hand.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU