WordPress W3 Total Cache Misconfiguration Leaves Some Blogs Vulnerable

An apparent misconfiguration exists in W3 Total Cache (W3TC), a popular plugin for the WordPress blogging platform, that could allow an attacker to browse and download password hashes and other database information. W3 Total Cache (W3TC) is a framework for Wordpress that helps speed up blogs by caching content.

W3 Total CacheAn apparent misconfiguration exists in W3 Total Cache (W3TC), a popular plugin for the WordPress blogging platform, that could allow an attacker to browse and download password hashes and other database information. W3 Total Cache (W3TC) is a framework for WordPress that helps speed up blogs by caching content.

Researcher Jason A. Donenfeld first found the issue and publicized it in a post to the Full Disclosure mailing lists on Monday. The problem stems from the way W3TC stores the database cache. Since the plugin stores the cache similarly for each site, if a directory listing is left enabled, anyone can freely browse and download them. Anyone could harvest the site’s database cache keys “and extract ones containing sensitive information, such as password hashes,” according to Donenfeld’s post.

The Seclists.org post goes on to warn that even if sites’ directories aren’t enabled, it’s easy to simply guess the directory paths since “cache files are by default publicly downloadable, and the key values/file names of the database cache items are easily predictable.”

A complete rundown of the vulnerability, complete with shell script to identify and exploit has been posted on Github.

While the problem affects all builds of W3 Total Cache up to and including the latest version, 0.9.2.4., according to a subsequent post by Donenfeld on Full Disclosure, the author of the affected code in W3 plans a fix soon.

Until then Donenfeld encourages WordPress users to disable their database cache or create a .htaccess file inside the wp-content/w3tc directory denying access.

Suggested articles

Discussion

  • Frederick Townes on

    For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.

    The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability’s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I’m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.

    The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.

    For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.

    If you’re reading this and have seen a post about the issue that does not have this response on it, please do post this for me. Thanks in advance. Happy Holidays.

  • jay mills on

    This is one of the key plugins that I use to get ranking for both my blogs and my customers blogs. It gives me easy cache clearing and lets my blogs reload the new content. Along the auto linking and related post plugin i use mine and my customers blogs pank alot quicker.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.