W3 Total Cache implementation vulnerability

Just in time for Christmas, it was announced on the full disclosure list a security (configuration/implementation) bug on W3 Total cache, one of the most popular WordPress plugins.

The issue is related on how W3TC stores the database cache (in a public accessible directory) that can be used to retrieve password hashes and other database information.

By default the plugin will store the caches inside /wp-content/w3tc/dbcache/ and if you have directory listing enabled, anyone can browse to yoursite.com/wp-content/w3tc/dbcache/ and download them. The second issue is that even if you don’t have directory caching enabled, it is still possible to guess those directories/files in order to extract the database cache queries and results.

There is more information about this issue on the full disclosure list: http://seclists.org/fulldisclosure/2012/Dec/242:

Confirmed vulnerability

We have tried and we were able to exploit this vulnerability on our test sites. Many shared hosts have directory listing enabled by default, making the problem even worse.

On the sites without directory listing we were able to download the whole db cache directory remotely and then search for specific strings (user_pass) and get the password hashes:

a:6:{s:10:"last_error”;s:0:””;s:10:”last_query”;s:41:”SELECT * FROM wp_users WHERE ID = ’15′”;s:11:”last_result”;a:1:{i:0;O:8:”stdClass”:10:{s:2:”ID”;s:2:”15″;s:10:”user_login”;s:21:”Guest Blogger”;s:9:”user_pass”;s:34:”$P$BPtuFcIxFXXXX3MJbBBN4dxJ1″;s:13:”user_nicename”;..


It seems the easiest way to protect your sites is by disabling database cache or creating an .htaccess file inside the wp-content/w3tc directory denying direct access there:

deny from all

If you are not using Apache, you will need a similar configuration entry to prevent direct access to the w3tc folder. If you have any question, let us know.

Read more: W3 Total Cache implementation vulnerability

Story added 25. December 2012, content source with full text you can find at link above.