W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary File Download

Sign up to our free email alerts service for instant vulnerability notifications!

Description
When you're creating a support ticket in the plugin page, you can add one or more of your your template themes.

Then this file will be send to the author to help him resolving the issue.

Now you select one, you send the form and same as for the files before, you will send it to the author to help him to fix the issue.

How does it work:
**********
        /**
         * Attach templates
         */
        foreach ($templates as $template) {
            if (!empty($template)) {
                $attachments[] = $template;
            }
        }
**********
        foreach ($attachments as $attachment) {
            if (is_network_admin())
                update_site_option('attachment_' . md5($attachment), $attachment);
            else
                update_option('attachment_' . md5($attachment), $attachment);
        }
**********
        /**
         * Remove temporary files
         */
        foreach ($attachments as $attachment) {
// ...
            if (is_network_admin())
                delete_site_option('attachment_' . md5($attachment));
            else
                delete_option('attachment_' . md5($attachment));
        }
**********
$attachment_location = filter_var(urldecode($_REQUEST['file']), FILTER_SANITIZE_STRING);
$md5 = md5($attachment_location);
$nonce = $_REQUEST['nonce'];
$stored_nonce = get_site_option('w3tc_support_request') ? get_site_option('w3tc_support_request') : get_option('w3tc_support_request');
$stored_attachment = get_site_option('w3tc_support_request') ? get_site_option('attachment_' . $md5) : get_option('attachment_' . $md5);

if (file_exists($attachment_location) && $nonce == $stored_nonce && !empty($stored_nonce) && $stored_attachment == $attachment_location) {
**********

First, our choices are added to the attachments array, second an option is added, this will be used to be sure that this file was chosen from this support form, then this options are deleted when the submission is done.

Between the option creation and delete that the files.php is called to get the attachment, verified with a nonce and with the created option.

The vulnerability stays in the fact that we can modify – using firebug for example – the templates name to another existing file from the site, like wp-config.php.

So now, an option has been created with this fake theme template. Then using the same type juggling flaw as before, I can validate the nonce because of the ==.

You also have to add a 20 Mb file to gain time to exploit this.

Pointing on the files.php URL like that can help me to download the wp-config.php, because for the same reason as before, an administrator is not always allowed to read the config file, he's not the webmaster but a WordPress administrator, so this represent a vulnerability.

Proof of Concept
http://example.com/wp-content/plugins/w3-total-cache/pub/files.php?file=/Users/julio/Sites/wpsolo/wp-config.php&nonce=0

Affects

Plugin w3-total-cache
fixed in version 0.9.5

References

URL https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type CSRF
OWASP Top 10 A8: Cross-Site Request Forgery (CSRF)
CWE CWE-352

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 472
Verified No
WPVDB ID 8628

Timeline

Publicly Published 2016-09-26 (2 months ago)
Added 2016-09-26 (2 months ago)
Last Updated 2016-09-27 (2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.