W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary PHP Code Execution



Description
This one is so mush easy to exploit using the import settings feature, this is what W3TC will do one your file is uploaded:
**********
    /**
     * Imports config content
     *
     * @param string $filename
     * @return boolean
     */
    function import($filename) {
        if (file_exists($filename) && is_readable($filename)) {
            $data = file_get_contents($filename);
            if (substr($data, 0, 5) == '<?php')
                $data = substr($data, 5);

            $config = eval($data);

            if (is_array($config)) {
                foreach ($config as $key => $value)
                  $this->set($key, $value);

                return true;
            }
        }

        return false;
    }
**********
The bad line is $config = eval($data); because it means that all my file content will be evaluated like any other PHP code. Basically we can send a PHP script that will create a backdoor.

Affects Plugin

fixed in version 0.9.5

References

URL https://secupress.me/blog/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 1176
Verified No
WPVDB ID 8629

Timeline

Publicly Published 2016-09-26 (about 2 years ago)
Added 2016-09-26 (about 2 years ago)
Last Updated 2018-01-02 (10 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.