W3 Total Cache (W3TC) leaves WordPress websites vulnerable to compromise. The vulnerability was discoved by researcher, Jason A. Donenfeld and reported on one of the seclists.org forums recently.
W3 Total Cache is a plugin that enables site owners to speed up their WordPress websites by using a series of Caches.
According to the forum post, the vulnerability means:
anyone could easily recursively download all the database cache keys, and extract ones containing sensitive information, such as password hashes
Essentially, by retrieving the password hashes it would be possible to decode any users password.
The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method.
All credit to Frederick, he acted on the information and released version 0.9.2.5 of W3TC quickly to patch the issues.
Fix The Issues with W3 Total Cache Today
Website owners who use W3 Total Cache should immediately do the following (or get their webmasters to do it):
- Upgrade the version of W3TC on their sites. This can generally be done by logging into wp-admin, navigating to the plugin menu and upgrading W3TC through the upgrade now button. Frederick also suggests that simply deactivating W3 Total Cache, uninstalling it, and re-installing it via wordpress.org will apply the hotfix upon re-activation.
- Turn off disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory (you can do this through Cpanel and / or .htaccess)
- Empty the database cache for good measure – Go to wp-admin -> Performance and click on Clear All Caches
Of course, there are other Cacheing solutions out there and we’ve had WP SuperCache recommended on several occassions.