Forgot your password?
typodupeerror
Security IT

Popular Wordpress Plugin Leaves Sensitive Data In the Open 54

Posted by samzenpus
from the protect-ya-neck dept.
chicksdaddy writes in with a warning about a popular Wordpress plugin. "A security researcher is warning WordPress users that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle 'zx2c4' posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a 'performance framework' that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."
This discussion has been archived. No new comments can be posted.

Popular Wordpress Plugin Leaves Sensitive Data In the Open

Comments Filter:
  • So, did anyone else look at the linked page and see a big blob of text about payday loans? Kinda amusing for a site that bills itself as a "security ledger".
    • Re:hacked? (Score:5, Informative)

      by SomePgmr (2021234) on Wednesday December 26, 2012 @09:40PM (#42400375) Homepage
      No. But here's a more direct explanation posted by Donenfeld: http://seclists.org/fulldisclosure/2012/Dec/242 [seclists.org]
      • Thanks, saw that, guess I'm used to having to click a couple times to get to actual info from a /. article. Turns out the big blob of text about payday loans only shows up for those of us who are picky about what sites we let run JavaScript code in our browsers. I guess it's just there for SEO link juice and is not intended to be seen by humans. But, security site using WordPress, pointing out WordPress plugin vulnerability, and is hacked, oh the hugh manatee!
        • by X0563511 (793323)

          SEO people need to be drawn and quartered. Assholes do nothing but pollute the web for their own gain.

    • by Anonymous Coward

      proof (as if it were needed) that this cache plugin isn't the only vulnerability in wordpress.

      tfa site runs wordpress, site is hacked with some injected spam links, site posts article about (another) vulnerability in the very software they use. here's your sign

  • by slashmydots (2189826) on Wednesday December 26, 2012 @09:44PM (#42400413)
    - You will get hacked if you use something 1 million+ other people use. It's just a matter of time.
  • by Anonymous Coward on Wednesday December 26, 2012 @09:51PM (#42400463)

    WordPress is a remote shell that happens to also carry a blogging feature...

  • tempfix (Score:5, Informative)

    by Kise (2591127) on Wednesday December 26, 2012 @10:33PM (#42400739)
    you could say create ".htaccess" file in the cache directory and put "deny from all" inside it without the quotes in the mean time until they issue fix for it
    • You don't even need to do that. Let wp-supercache set up the rules for mod_rewrite as they are intended (or get your hoster to let you do so by p.e. installing mod_rewrite) and anyone trying to browse your plugin, includes or cache directory will get a nice 403 as a response. If that doesn't work your host or site is not really set up to run dynamic content. There's a little bit more to useful hosting than just installing PHP, Apache and MySQL...
    • If you use latest stable apache (and you should if you use SSL/TLS) those commands will raise an error.

      You must use "Require all denied" if you don't have mod_access_compat installed & enabled.

  • No fucking shit (Score:2, Insightful)

    by Legion303 (97901)

    "Popular Wordpress Plugin Leaves Sensitive Data In the Open"

    This happens at least twice a week. Don't use Wordpress. Or if you have to use Wordpress, lock it the fuck down and don't install plugins.

  • by Anonymous Coward on Wednesday December 26, 2012 @10:48PM (#42400837)

    A wordpress plugin with security issues? Well, I never...

  • "The content of those directories could be downloaded, including directories containing sensitive data like password hashes"...

    All the WordPress installations I've dealt with (quite a few, it's part of my job) had users' password hashes stored in a MySQL database. I wonder why the W3 plugin is writing them to the file system in the first place?
  • I'm sure it's no surprise to anyone here, but there are plenty of other WordPress plugins that do the same thing. Some backup plugins [google.com] seem to be particularly good at this, giving you unrestricted access to entire DB backups which you can hack in your own time.
  • by Qzukk (229616) on Wednesday December 26, 2012 @11:30PM (#42401063) Journal

    It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?

    I specifically made a conscious decision to set up my very first PHP application to store uploaded files and configuration files in an inaccessible folder way back in 2002 specifically to avoid bullshit like that, which seems to me it must have had been going on for long enough that I knew better back then as a noob fresh out of college.

    • by mysidia (191772)

      It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?

      For the same reason that people are still picking simple passwords. Because it's easy, and doing the right thing is less convenient.

    • just run 'chmod -R 777 ~' on your host - somehow this makes everything better!

    • > It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?
      Because PHP.

  • With a whole bunch of payday loan text spam at the top. Wonder what plugin caused that?
  • So that's why my last email from paypalcom.tk forwarded me to a URL that looked like this:
    http://joesdumbblog.net/wp-admin/plugins/css/https.paypal.com.php [joesdumbblog.net]
  • by zx2c4 (716139) <SlashDot@NoSPam.zx2c4.com> on Thursday December 27, 2012 @03:46AM (#42402055) Homepage

    Hi folks, I'm Jason, the guy who found this bug.

    I feel kind of embarrassed this is on the front page. I like to think that I spend time doing cooler things [zx2c4.com] than reading PHP, let alone the source of random Wordpress plugins. My brother lives at the south pole and has a pretty damn cool blog about it [jeffreydonenfeld.com] (yay, more linkspam!), but the NASA satellite only flies overhead a few times a day, and bandwidth is pretty limited, so he asked me to help with some maintenance, and in the process I noticed this. But now the Intertubes have me pinned as a Wordpresser, alas. I guess that's just how it goes.

    Anyway, my feeling on this is basically, to put it in /. terms -- "Random Wordpress plugin has gaping security hole... news at 11!" If you want a reasonably secure Wordpress rig, it's probably best to stick with plugins and themes put out by Automattic.

    It wasn't mentioned in the linked article, so it's worth nothing here -- I think the best remediation, until W3 Edge releases a fix (he's on Christmas vacation now or something I think), is to either disable the plugin entirely, or, if that's not a possibility, just disable the object cache and database cache, and then empty all caches. Doing that should at least clear up this hole.

    -- Jason

    • by Kergan (780543)

      I haven't used WP in a long time, so I don't know precisely what Total Cache does nowadays, but it seems to me that the security hole you disclosed would only ever apply if object and/or query caching is turned on with the disk used as the persistent store.

      If so, I'd like to stress that this is a horrific setup which doesn't scale at all. The initial WP object caching implementation functioned precisely the same way in the WP core. It got disabled by default almost immediately because the high amount of dis

  • That's what happens when you rely on the php community.

A motion to adjourn is always in order.

Working...