Dangerous vulnerability in caching plugins for WordPress

Posted: April 25, 2013 in Vulnerabilities, Vulnerability News
Tags: , , ,

WordPress PluginsDetected a dangerous flaw in the popular plugins for caching, which allows you to execute arbitrary PHP code on the target system.

Information security researcher Frank Goosen has published details of the vulnerability in the popular plug-ins for caching pages WordPress – WP Super Cache and W3 Total Cache, with more than six million downloads. Discovered vulnerability allows an attacker to inject and execute arbitrary PHP code on the target system with the privileges of Web-server.

Affected versions:

WP Super Cache 1.2 and earlier
W3 Total Cache 0.9.2.8 and earlier

Successful exploitation of the vulnerability on the site must be present parser dynamic snippets. An attacker can post a comment for publication, containing PHP code that will be transformed into a parser and executed on the system.

To address the vulnerability install the latest version of the plugin WP Super Cache 1.3.1 or W3 Total Cache 0.9.2.9. As a workaround, you can disable the dynamic snippets.

Compromise of the system in WordPress W3 Total Cache

Danger level: High
The presence of fixes: Yes
The number of vulnerabilities: 1

Vector of operation: Remote
Impact: System Compromise

Affected products: WordPress W3 Total Cache Plugin 0.x

Affected versions: WordPress W3 Total Cache 0.9.2.8, possibly other versions.

Description:

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability is caused due to the application improperly restricts access to macros enable PHP code “mfunc” and “mclude”. This can be exploited to inject and execute arbitrary PHP code.

Successful exploitation requires that the constant “W3TC_DYNAMIC_SECURITY” has been defined, and that the attacker had the privilege to add / edit publications, pages or comments that use macros “mfunc” and “mclude” with a given constant.

Manufacturer URL: http://wordpress.org/extend/plugins/w3-total-cache/

Solution: Update to version 0.9.2.9 from the manufacturer.

PHP code injection in WordPress WP Super Cache

Danger level: High
The presence of fixes: Yes
The number of vulnerabilities: 1

Vector of operation: Remote
Impact: System Compromise
CWE ID: CWE-94: Code Injection

Affected products: WordPress WP Super Cache 1.x

Affected versions: WordPress WP Super Cache 1.2 and earlier versions.

Description:

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability is caused due to the application improperly restricts access to macros enable PHP code “mfunc” and “mclude”. This can be exploited to inject and execute arbitrary PHP code.

Successful exploitation requires that the constant “W3TC_DYNAMIC_SECURITY” has been defined, and that the attacker had the privilege to edit publications or pages that use macros “mfunc” and “mclude” with a given constant.

Manufacturer URL: http://wordpress.org/extend/plugins/wp-super-cache/

Solution: Update to version 1.3.2 with the manufacturer’s website.

Frank Goosen: details vulnerabilities here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s