Popular Wordpress Plugin Leaves Sensitive Data In the Open 54
chicksdaddy writes in with a warning about a popular Wordpress plugin. "A security researcher is warning WordPress users that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle 'zx2c4' posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a 'performance framework' that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."
Re:hacked? (Score:5, Informative)
tempfix (Score:5, Informative)
Well, that's embarrassing... (Score:5, Informative)
Hi folks, I'm Jason, the guy who found this bug.
I feel kind of embarrassed this is on the front page. I like to think that I spend time doing cooler things [zx2c4.com] than reading PHP, let alone the source of random Wordpress plugins. My brother lives at the south pole and has a pretty damn cool blog about it [jeffreydonenfeld.com] (yay, more linkspam!), but the NASA satellite only flies overhead a few times a day, and bandwidth is pretty limited, so he asked me to help with some maintenance, and in the process I noticed this. But now the Intertubes have me pinned as a Wordpresser, alas. I guess that's just how it goes.
Anyway, my feeling on this is basically, to put it in /. terms -- "Random Wordpress plugin has gaping security hole... news at 11!" If you want a reasonably secure Wordpress rig, it's probably best to stick with plugins and themes put out by Automattic.
It wasn't mentioned in the linked article, so it's worth nothing here -- I think the best remediation, until W3 Edge releases a fix (he's on Christmas vacation now or something I think), is to either disable the plugin entirely, or, if that's not a possibility, just disable the object cache and database cache, and then empty all caches. Doing that should at least clear up this hole.
-- Jason