W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token):
***********
$nonce = W3_Request::get_string('nonce');
$uri = $_SERVER['REQUEST_URI'];

if (wp_hash($uri) == $nonce) {
************

But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling.

You can find an example of type juggling on https://3v4l.org/tT4l8

To exploit the vulnerability, the token has to start with `0e` and all other chars have to be numbers, then the user can just add a param in the url like `?nonce=0` and it will be validated.
Proof of Concept
http://example.com/wp-content/plugins/w3-total-cache/pub/apc.php?nonce=0&command=reload_files

Affects

Plugin w3-total-cache
fixed in version 0.9.5

References

URL https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type BYPASS

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 599
Verified No
WPVDB ID 8626

Timeline

Publicly Published 2016-09-26 (2 months ago)
Added 2016-09-26 (2 months ago)
Last Updated 2016-09-27 (2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.