what you don't know can hurt you

WordPress W3 Total Cache 0.9.4.1 Cross Site Scripting

WordPress W3 Total Cache 0.9.4.1 Cross Site Scripting
Posted Nov 11, 2016
Authored by Securify B.V., Sipke Mellema

WordPress W3 Total Cache plugin version 0.9.4.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 540b8fa59c92fee27670136b915841aa

WordPress W3 Total Cache 0.9.4.1 Cross Site Scripting

Change Mirror Download
------------------------------------------------------------------------
Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the W3 Total Cache
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a URL provided by an attacker.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on W3 Total Cache version 0.9.4.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in W3 Total Cache version 0.9.5.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_vulnerability_in_w3_total_cache_plugin.html

The issue exists in the file inc/options/support/form.php and is caused by the lack of output encoding on the request_id request parameter. The vulnerable code is listed below.

<input type="hidden" name="request_type" value="<?php echo $request_type; ?>" />
<input type="hidden" name="request_id" value="<?php echo $request_id; ?>" />
<input type="hidden" name="payment" value="<?php echo $payment; ?>" />

Proof of concept


Have an authenticated admin visit the URL:

http://<target>/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id="><script>alert('sumofpwn.nl');</script>

A pop-up box should appear, meaning the JavaScript contained in the request_id request parameter was executed by the browser.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close