Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: W3 Total Cache - public cache exposure
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 29 Dec 2012 20:35:23 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2012 04:45 AM, Jason A. Donenfeld wrote:
On Sat, Dec 29, 2012 at 6:35 AM, Kurt Seifried
<kseifried () redhat com> wrote:


As I understand it this is more of an .htaccess type issue than
an actual issue with W3 total cache? Is this documented anywhere
in the W3 total cache documents?


W3 generates .htaccess files and sets up the directory structure
and accesses. Nowhere is it documented that sysadmins should
additionally modify the .htaccess files to protect the cache, and
W3's own htaccess generation fails to protect it.

Please use CVE-2012-6077 for this issue.

2. Hash keys are easily predictable, in the case of (1) not 
existing.

explanation/algorithm/?


Sure:

query_md5=md5("SELECT * FROM ${db_prefix}users WHERE ID = 
'${user_id}'") key=md5("w3tc_${host}_${site_id}_sql_${query_md5}") 
url=" 
http://siteblabla/wp-content/w3tc/${key:0:1}/${key:1:1}/${key:2:1}/${key}";

 "db_prefix" is by default "wp_", per wordpress config, and few
people go in and change that. "user_id" is an integer. IDs start at
1 and increase for each added user. "site_id" is an integer that
also starts at 1 and increases for each site used in multi-site
wordpress. "host" is the hostname of the site. All of these values
are known or guessable.

Please use CVE-2012-6078 for this issue.

3. Cached database values are downloadable by their hash keys
on the public internet, exposing sensitive information like
password hashes.

Do they need to be downloadable? That is to say can these hash
values be protected, or must they be exposed?


They _must_ be protected. They _must not_ be exposed or
downloadable. The hash values are raw SQL query responses, so they
contain things like password hashes. The cache is used only
internally by the web application, and client browsers should never
have any direct contact with this cache.

Please use CVE-2012-6079 for this issue.

Thanks for the explanations.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37Z7AAoJEBYNRVNeJnmT9wMQANakD23SI8oeDJyTAfpwTYju
i1yRsLUjEVDvpO1ydv5xZw6GKTLPVB/Hm732tAa90YSOjBQHCfrFlMtflCYvgw66
Ex++kTnLjdawh8BX9WGsCTFoiI4doYrBerSl/TmH6NwEo/fZP5fumeFaMdbUzXru
QgXok5CpQQK0DqiDZLLwt7lHBjnbY+pylb7ddybS0SUX3AAC7brfVkabGQM+ZWjH
hk7OQklJtG+oJbcj6+8tp65Kxp6hQsJPUGoLc7hu47HpidcnVT/KGYCX4huovZPv
wdz7yLsJgIxO4IDe0NuZKdqeEV9YKKs2blTEAj76zs8EaYUOKscnjDButZdW12NJ
FgXFr3ag43Li7Ro5tMUsbBq/hK2oJtysUJlwTZAlbGpEmMOtAS7CnoOtS55DzPOQ
4pXljZ/f+7GMNnFEIF18MeLZZPMD5VH5Xu/Vf54C1AaBx1A1JOAIVfoycI2ts/tP
c5ABAUNqkz43zn4Zwr6Edh58WJI1pgVy2/XwP1fGvUeaw/tUURvhVMQNKOiI6OfG
Qp0z36ac93Y3NXGnj71rHxYmIaRZI7yR9yTCYTR5dESlqXZLUlSbzf6Nz6djqS/Q
JR9JhxDaO1ysQ4+2ONBbcKxM/0U4Hg58SntsVxze03PmE5hYC9bF9UXaCDmEbInT
bYrJ9nl/lslPd2LHnLbs
=SO/W
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]