Flawed Wordpress plug-in exposes users@ 2012/12/28
Jason Donenfeld said that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes.
W3 Total Cache speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, and downloads. It has more than 1.39 million users and can be seen in many sites like mashable.com and smashingmagazine.com.
Donenfeld found that W3 Total Cache from within WordPress leaves potentially sensitive data exposed. For example a cache directory listing feature is enabled on the cache directory, which stores cached content and anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes.
Exposed cache directories are also discoverable using a Google search. Even if you switch the directory listings off, cache files are still publicly downloadable by default with W3 Total Cache. All a hacker would need to know the key values and file names of the cache items, which Donenfeld claims is not exactly rocket science.
His proof of concept software has found a number of interesting directories including Triton Submarines, and the Family Policy Network, a US based conservative Christian group that says its mission is to confront "immorality" in the public square and educate Christians "on important moral issues in public and corporate policy."
In a subsequent post on Full Disclosure, he said that W3 Edge, the company that makes W3 Total Cache, plans an update to correct the problems he had identified.