W3TC 0.9.4.1 – 4 other security flaws
On friday, 23th September 2016 we talked about a High Risk XSS vulnerability in W3TC, and like I said at the end of this post “security consultant will try to find more“, well, I did. I did it because we, at WP Media, think it’s important for everyone to have a secure website, whatever the plugin they’re using. Every month we do some security audit on a few plugins from the free WordPress repository just to test, just to be sure that everyone is safe.
4 New Vulnerabilities
There is many different ways to find vulnerabilities in a plugin, sometimes you fall on them, sometimes you look for some bad patterns or echoing stuff.
For me, the goal was to find something very harmful so I focused on user’s file and PHP code.
You can find the 4 reports on wpvulndb:
https://wpvulndb.com/vulnerabilities/8626
https://wpvulndb.com/vulnerabilities/8627
https://wpvulndb.com/vulnerabilities/8628
https://wpvulndb.com/vulnerabilities/8629
Security Token ByPass
The /pub/apc.php file is useful to empty the OPCache/APC. The script seems protected by a nonce (aka security token):
$nonce = W3_Request::get_string(‘nonce’);
$uri = $_SERVER[‘REQUEST_URI’];
if (wp_hash($uri) == $nonce)
Source: https://managewp.org/articles/13473/w3tc-0-9-4-1-4-other-security-flaws
source https://williechiu40.wordpress.com/2016/09/27/w3tc-0-9-4-1-4-other-security-flaws/