Jason A. Donenfeld has discovered a Critical vulnerability in one of the famous wordpress plugin "W3 Total Cache". The plugin helps to improve the user experience of your site by improving your server performance, caching every aspect of your site.
The cache data is stored in public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.
A simple Google search for "inurl:wp-content/plugins/w3tc/dbcache" returns the list of word press affected by this vulnerability.
According to Jason, the cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable, even with directory listing off.
He also published a simple shell script to identify and exploit this bug:
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh
Wordpress users are advised to either upgrade the plugin to new version or deny access to plugin directory by making an extra .htccess in that folder.
0 comments: