Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE Request: W3 Total Cache - public cache exposure
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Fri, 28 Dec 2012 09:04:49 +0100

Hi Kurt,

W3 Total Cache: http://wordpress.org/extend/plugins/w3-total-cache/

CVE request for three separate issues:

1. Cache allows directory listing of hash-key listings, exposing hash keys.

2. Hash keys are easily predictable, in the case of (1) not existing.

3. Cached database values are downloadable by their hash keys on the public
internet, exposing sensitive information like password hashes.

Fixing (3) mitigates (1) and (2), so assign this either three CVEs or one
CVE.

Source: http://seclists.org/fulldisclosure/2012/Dec/242

The vendor, copied on this email, currently has not issued a fix.

Thanks,
Jason

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]