W3 Total Cache <= 0.9.4.1 – Authenticated Arbitrary PHP Code Execution

Sign up to our free email alerts service for instant vulnerability notifications!

Description
This one is so mush easy to exploit using the import settings feature, this is what W3TC will do one your file is uploaded:
**********
    /**
     * Imports config content
     *
     * @param string $filename
     * @return boolean
     */
    function import($filename) {
        if (file_exists($filename) && is_readable($filename)) {
            $data = file_get_contents($filename);
            if (substr($data, 0, 5) == '<?php')
                $data = substr($data, 5);

            $config = eval($data);

            if (is_array($config)) {
                foreach ($config as $key => $value)
                  $this->set($key, $value);

                return true;
            }
        }

        return false;
    }
**********
The bad line is $config = eval($data); because it means that all my file content will be evaluated like any other PHP code. Basically we can send a PHP script that will create a backdoor.

Affects

Plugin w3-total-cache
fixed in version 0.9.5

References

URL https://secupress.me/4-new-security-flaws-w3-total-cache-0-9-4-1/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter SecuPress
Submitter Website https://secupress.me
Submitter Twitter secupress
Views 653
Verified No
WPVDB ID 8629

Timeline

Publicly Published 2016-09-26 (3 months ago)
Added 2016-09-26 (2 months ago)
Last Updated 2016-09-27 (2 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.