Feeds

New WordPress vuln emerges

W3 Total Cache has faulty defaults

Boost IT visibility and business value

Sorry to spoil the day for any sysadmins that thought today would be a slow day, but a security researcher has announced a serious vulnerability in the default configuration of a popular WordPress plugin.

W3 Total Cache, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities, according to this post on the Full Disclosure list.

The default setup – that is, when users simply choose “add plugin” from the WordPress catalogue – left cache directory listings enabled, according to poster Jason Donenfield.

This, he said, allows database cache keys to be downloaded on vulnerable installations – and that could expose password hashes. “A simple google search of "inurl:wp-content/plugins/w3tc/dbcache" and maybe some other magic reveals this wasn't just an issue for me”, he writes.

Donenfield later amended the search term to “inurl:wp-content/w3tc”.

“Even with directory listings off,” he continues, “cache files are by default publicly downloadable, and the key values / file name of the database cache items are easily predictable.”

Donenfield says the developer of the plug-in intends to release a fix “soon”. In the meantime, he notes that “deny from all” should be set in the .htaccess file. ®

Boost IT visibility and business value

More from The Register

next story
Computing student jailed after failing to hand over crypto keys
Sledgehammer once again used to crack a nut
USA to insist on pre-flight mobe power probe
Prove it works or it can't come aboard flights to USA
Brit celebs' homes VANISH from Google's Street View
Tony Blair's digs now a Tone-y Blur
Doctor Who season eight scripts leak online
BBC asks fans to EXTERMINATE copies before they materialise
Insecure AVG search tool shoved down users' throats, says US CERT
Sneaky 'foistware' downloads install things you never asked for
New NSA boss plays down impact of Snowden leaks
You have not heard me say 'OMG, the sky is falling'
'I don't want to go on the cart' ... OpenSSL revived with survival roadmap
Heartbleed-battered crypto library reveals long path back to health
MONSTER COOKIES can nom nom nom ALL THE BLOGS
Blog networks can be force-fed more than they can chew
prev story

Whitepapers

How modern custom applications can spur business growth.
In this whitepaper learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
The Power of One eBook: Top reasons to choose HP BladeSystem
Only the Power of One delivers leading infrastructure convergence, availability and scalability with federation, and agility through data center automation.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximizing your infrastructure through virtualization
Virtualization continues to be one of the most effective ways to consolidate, reduce cost, and make data centers more efficient.
Build a Business Case: Developing Custom Apps
In this whitepaper learn how to maximize the value of custom applications by accelerating and simplifying their development.