Last week, we brought our readers a news story covering a vulnerability in the W3 Total Cache WordPress plugin that has affected a number of high traffic websites. The root of the problem was explained in detail by security analyst Jason Donenfeld who published a Full Disclosure post on December 24th outlining how databases could be exposed by would-be hackers, and even went through the trouble of creating a shell script.
Over the weekend, Frederick Townes, who created the W3 Total Cache plugin and is the Chief Technology Officer of Mashable, replied directly to our article and explained how plugin users can fix any outstanding security problems related to the tool in order to make their databases secure.
Frederick Townes Statement
Following is a word-for-word account of Townes’ reply, which was posted on December 29th. “For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.
The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability’s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I’m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.
The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.
For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.”
Abundant News Coverage
The W3 Total Cache representative went on to wish everyone a happy holiday season and requested that WordPress users paste his reply as a comment to other related news stories. By the end of last week, write-ups had been published by TechSpot.com, eSecurityPlanet.com, The London Register, and ghacks.net.
Download The Updated W3 Total Cache Plugin
With the December 29th update, the W3 Total Cache plugin is currently on Version 0.9.2.5 and is compatible with WordPress 2.8 or higher (this includes WordPress 3.5 “Elvin”). You can Download the latest version of W3 Total Cache here if you are interested in using it to improve server performance, reduce download times and cache every aspect of your website.
As always, we will continue to keep our readers informed on any new events that transpire regarding this and other commonly used WordPress tools.