Update: Popular WordPress Plugin Leaves Sensitive Data in the Open

Editor’s Note: Updated to add comments from Jason Donenfeld. – Paul

A security researcher is warning WordPress uses that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search.

The researcher, Jason A. Donenfeld, who uses the handle “zx2c4” posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote.

W3 Total Fail Exploit
W3 Total Fail Exploit by ZX2C4

W3 Total Cache is described as a “performance framework” that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site.

Donenfeld said he discovered the vulnerability while helping his brother, who is currently working at Amundsen-Scott South Pole Station in Antarctica to troubleshoot his personal blog.

“They only get a satellite passing overhead a couple times a day, so he needed some help with performance. I was poking around and found this directory issue,” he told Security Ledger in a phone conversation.

Simply installing W3 Total Cache from within WordPress appears to leave potentially sensitive data exposed, Donenfeld discovered. Among other things, a cache directory listing feature is enabled on the cache directory, which stores cached content. That means “anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes,” he wrote.

“A cache is something that is supposed to be read by web applications and not users,” Donenfeld told Security Ledger.

Sites with exposed cache directories are also discoverable using a simple Google search, Donenfeld said.

Even with directory listings off, cache files are still publicly downloadable by default with W3 Total Cache. Yes, a hacker (or snooper) would need to know the key values and file names of the cache items, but Donenfeld said both are “easily predictable.”

Donenfeld developed a proof-of-concept exploit for the hole that allows a would-be attacker to try to attempt to glean password hashes from blogs running W3 Total Cache using a brute force attack to guess possible W3 Total Cache keys using different user- and site ID combinations.

A quick search revealed a number of web sites that are running the W3 Total Cache plugin that have publicly accessible directories of cached content. They include Triton Submarines, a maker of manned submersibles and the Family Policy Network, a U.S. based conservative Christian group that says its mission is to confront “immorality” in the public square and educate Christians “on important moral issues in public and corporate policy.”

Still, Donenfeld said the security holes are probably better classified as “configuration errors” than  vulnerabilities – enabling risky features by default, and giving users too few ways to securely configure the plug-in. In a subsequent post on Full Disclosure, he said that W3 Edge, the company that makes W3 Total Cache, plans an update to correct the issues he had identified.

In the meantime, W3 Total Cache users can remediate the vulnerability by disabling the “database cache” and “object cache” options, and flush any existing caches created with W3 Total Cache, Donenfeld said.

Requests for comment from Mr. Donenfeld and W3 Edge by The Security Ledger were not returned prior to publication.

WordPress is a widely used blogging and content management platform. As a result, it is frequently the target of attacks designed to compromise a large number of web sites. Most recently, The SANS Institute warned of widespread and apparently automated attacks against both WordPress and the  Joomla CMS that were being used by cyber criminals to direct unwitting web surfers to sites serving up rogue antivirus and other malicious software. And, last week, a Russian researcher  warned of a large scale spam campaign that leveraged compromised WordPress blogs to promote sites controlled by spammers and their customers.

13 Comments

  1. Pingback: W3 Total Cache Wordpress Plugin Reveals Sensitive Information ‹ Social Justice Solutions: Social Work, Social Justice News & Blogs

  2. Just deny read at .htaccess for w3tc directories.

  3. Pingback: SSH FUD Busting | TechSNAP | Jupiter Broadcasting

  4. For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.

    The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability’s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I’m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.

    The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.

    For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.

    If you’re reading this and have seen a post about the issue that does not have this response on it, please do post this for me. Thanks in advance. Happy Holidays.

  5. Pingback: Secure Vulnerable Wordpress Files and Directories « Surnia Ulula

  6. Pingback: Insecure Wordpress Cache Plugin Renders Sensitive Data Vulnerable | SiliconANGLE

  7. Pingback: W3 Total Cache- WordPress Plug-in a Major Security risk | drugsandotherthings

  8. Pingback: Popular WordPress Plugin Leaves Sensitive Data In the Open « Talesfromthelou's Blog

  9. You cannot make htaccess directory rules but you can just place a new .htaccess file into the specific folder containing only this:

    deny from all

  10. Hi there, just was aware of your weblog thru Google, and located that it’s truly informative. I am gonna be careful for brussels. I will appreciate should you proceed this in future. Numerous other folks will likely be benefited from your writing. Cheers!