An apparent misconfiguration exists in W3 Total Cache (W3TC), a popular plugin for the WordPress blogging platform, that could allow an attacker to browse and download password hashes and other database information. W3 Total Cache (W3TC) is a framework for WordPress that helps speed up blogs by caching content.
Researcher Jason A. Donenfeld first found the issue and publicized it in a post to the Full Disclosure mailing lists on Monday. The problem stems from the way W3TC stores the database cache. Since the plugin stores the cache similarly for each site, if a directory listing is left enabled, anyone can freely browse and download them. Anyone could harvest the site’s database cache keys “and extract ones containing sensitive information, such as password hashes,” according to Donenfeld’s post.
The Seclists.org post goes on to warn that even if sites’ directories aren’t enabled, it’s easy to simply guess the directory paths since “cache files are by default publicly downloadable, and the key values/file names of the database cache items are easily predictable.”
A complete rundown of the vulnerability, complete with shell script to identify and exploit has been posted on Github.
While the problem affects all builds of W3 Total Cache up to and including the latest version, 0.9.2.4., according to a subsequent post by Donenfeld on Full Disclosure, the author of the affected code in W3 plans a fix soon.
Until then Donenfeld encourages WordPress users to disable their database cache or create a .htaccess file inside the wp-content/w3tc directory denying access.