Editor’s Note: Updated to add comments from Jason Donenfeld. – Paul
The researcher, Jason A. Donenfeld, who uses the handle “zx2c4” posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote.
W3 Total Cache is described as a “performance framework” that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site.
Donenfeld said he discovered the vulnerability while helping his brother, who is currently working at Amundsen-Scott South Pole Station in Antarctica to troubleshoot his personal blog.
“They only get a satellite passing overhead a couple times a day, so he needed some help with performance. I was poking around and found this directory issue,” he told Security Ledger in a phone conversation.
Simply installing W3 Total Cache from within WordPress appears to leave potentially sensitive data exposed, Donenfeld discovered. Among other things, a cache directory listing feature is enabled on the cache directory, which stores cached content. That means “anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes,” he wrote.
“A cache is something that is supposed to be read by web applications and not users,” Donenfeld told Security Ledger.
Sites with exposed cache directories are also discoverable using a simple Google search, Donenfeld said.
Even with directory listings off, cache files are still publicly downloadable by default with W3 Total Cache. Yes, a hacker (or snooper) would need to know the key values and file names of the cache items, but Donenfeld said both are “easily predictable.”
Donenfeld developed a proof-of-concept exploit for the hole that allows a would-be attacker to try to attempt to glean password hashes from blogs running W3 Total Cache using a brute force attack to guess possible W3 Total Cache keys using different user- and site ID combinations.
A quick search revealed a number of web sites that are running the W3 Total Cache plugin that have publicly accessible directories of cached content. They include Triton Submarines, a maker of manned submersibles and the Family Policy Network, a U.S. based conservative Christian group that says its mission is to confront “immorality” in the public square and educate Christians “on important moral issues in public and corporate policy.”
Still, Donenfeld said the security holes are probably better classified as “configuration errors” than vulnerabilities – enabling risky features by default, and giving users too few ways to securely configure the plug-in. In a subsequent post on Full Disclosure, he said that W3 Edge, the company that makes W3 Total Cache, plans an update to correct the issues he had identified.
In the meantime, W3 Total Cache users can remediate the vulnerability by disabling the “database cache” and “object cache” options, and flush any existing caches created with W3 Total Cache, Donenfeld said.
Requests for comment from
Mr. Donenfeld and W3 Edge by The Security Ledger were not returned prior to publication.
WordPress is a widely used blogging and content management platform. As a result, it is frequently the target of attacks designed to compromise a large number of web sites. Most recently, The SANS Institute warned of widespread and apparently automated attacks against both WordPress and the Joomla CMS that were being used by cyber criminals to direct unwitting web surfers to sites serving up rogue antivirus and other malicious software. And, last week, a Russian researcher warned of a large scale spam campaign that leveraged compromised WordPress blogs to promote sites controlled by spammers and their customers.