Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Popular Wordpress Plugin Leaves Sensitive Data In the Open

samzenpus posted about a year and a half ago | from the protect-ya-neck dept.

Security 54

chicksdaddy writes in with a warning about a popular Wordpress plugin. "A security researcher is warning WordPress users that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle 'zx2c4' posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a 'performance framework' that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."

cancel ×

54 comments

Sorry! There are no comments related to the filter you selected.

Whao (-1)

Anonymous Coward | about a year and a half ago | (#42400285)

Those data thieves stole the first post!

hacked? (1)

daver!west!fmc (536918) | about a year and a half ago | (#42400337)

So, did anyone else look at the linked page and see a big blob of text about payday loans? Kinda amusing for a site that bills itself as a "security ledger".

Re:hacked? (4, Informative)

SomePgmr (2021234) | about a year and a half ago | (#42400375)

No. But here's a more direct explanation posted by Donenfeld: http://seclists.org/fulldisclosure/2012/Dec/242 [seclists.org]

Re:hacked? (2)

daver!west!fmc (536918) | about a year and a half ago | (#42400639)

Thanks, saw that, guess I'm used to having to click a couple times to get to actual info from a /. article. Turns out the big blob of text about payday loans only shows up for those of us who are picky about what sites we let run JavaScript code in our browsers. I guess it's just there for SEO link juice and is not intended to be seen by humans. But, security site using WordPress, pointing out WordPress plugin vulnerability, and is hacked, oh the hugh manatee!

Re:hacked? (2)

X0563511 (793323) | about a year and a half ago | (#42401113)

SEO people need to be drawn and quartered. Assholes do nothing but pollute the web for their own gain.

Re:hacked? (0)

Anonymous Coward | about a year and a half ago | (#42401559)

Exactly, they go through the trouble of camouflaging their keyword spam, but they miss out on the fact that Google would like them better if they had a date of some kind in the url (for obvious blog posts or news articles).

Re:hacked? (-1)

Anonymous Coward | about a year and a half ago | (#42400395)

Security in WordPress should be taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken.

This Slashdot linkspam article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, like when Negroes or Latinos try to break into your house and rape your white women, you should discuss them with people whom you trust to have sufficient knowledge, like those found at www.stormfront.com.

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server keeps all of the minorities, especially Nips and Chinks, from trying to intrude into your information system looking for scat-themed anime or cat-stewing recipies. That is why qualities of a trusted web host include blacklisting all IPs of known ethnic minorities and others from the filthier countries in the world.

One security measure one can take is to limit access - In addition to the blacklisting provided by the host, one could also use a rotating "splash page" of images and concepts which will deter ethnic minorities from accessing your page. For example, one day you could put up a splash page of a body of water, which Africans hate. Another day you could post a page of shoes walking on a rug, which Asians hate. An Image of Hitler is an effective detterrent all around.

Re:hacked? (1)

Anonymous Coward | about a year and a half ago | (#42400669)

proof (as if it were needed) that this cache plugin isn't the only vulnerability in wordpress.

tfa site runs wordpress, site is hacked with some injected spam links, site posts article about (another) vulnerability in the very software they use. here's your sign

Re:hacked? (0)

Anonymous Coward | about a year and a half ago | (#42402781)

Yes, it is hacked. Opening the website with a browser with the NoScript plug-in clearly shows that it is infected. There are about 13 lines of text and links at the start of the page, all about getting cheap credit: "Interest rate which may offer an age which 30 Day Payday Loan 30 Day Payday Loan is even less egregious in privacy." and so on. This text gets inmediately hidden by the pages script if allowed to run, hence why most people do not see it.

nice source site (0)

Anonymous Coward | about a year and a half ago | (#42400349)

page has a metric crap ton of keyword spam and links at the top for some scammy payday loan site.

Rule #1 of the internet (4, Insightful)

slashmydots (2189826) | about a year and a half ago | (#42400413)

- You will get hacked if you use something 1 million+ other people use. It's just a matter of time.

Re:Rule #1 of the internet (1)

WGFCrafty (1062506) | about a year and a half ago | (#42400513)

No one has hacked my TI-83 yet (I mean the malicious kind)!

Re:Rule #1 of the internet (1)

Osgeld (1900440) | about a year and a half ago | (#42400615)

is it connected to the internet 24/7?

Re:Rule #1 of the internet (1)

Anonymous Coward | about a year and a half ago | (#42400779)

3.4285714285714285714285714285714

Re:Rule #1 of the internet (1)

Scoldog (875927) | about a year and a half ago | (#42400625)

Who'd want to hack a malicious calculator? That is, unless you are changing it from "Evil" to "Good".

Most modern calculators have a switch on the back for that these days.

Re:Rule #1 of the internet (1)

93 Escort Wagon (326346) | about a year and a half ago | (#42400713)

Is there a hack that improves the abysmal screen resolution?

You said it! (5, Insightful)

psychonaut (65759) | about a year and a half ago | (#42401989)

This is precisely why I don't use PGP, TrueCrypt, ssh, or any of those other "cool" encryption tools used by millions of sheeple. All my data privacy and security needs are taken care of by my own custom-written, unbreakable encryption algorithm.

Re:You said it! (2)

Pope Raymond Lama (57277) | about a year and a half ago | (#42404081)

In 2012 Slashdot - your funny comments are moderated insightful!

Re:You said it! (0)

Anonymous Coward | about a year and a half ago | (#42410639)

Sarcastic isn't the same as funny. Sarcastic comments can be insighful too.

Re:You said it! (1)

Pope Raymond Lama (57277) | about a year and a half ago | (#42410773)

But in this case one can't know if the moderators took the O.P. seriously or not - I'd bet that some of them did.

Re:You said it! (0)

Anonymous Coward | about a year and a half ago | (#42406255)

My friend. Are you aware that all custom alghorithms are the easiest ones to break ?

Re:You said it! (0)

Anonymous Coward | about a year and a half ago | (#42408723)

Whoosh!!

Re:You said it! (0)

Anonymous Coward | about a year and a half ago | (#42408041)

Double ROT-13?

Re:You said it! (1)

psychonaut (65759) | about a year and a half ago | (#42409339)

Quadruple ROT-13.

Remote Shell (3, Funny)

Anonymous Coward | about a year and a half ago | (#42400463)

WordPress is a remote shell that happens to also carry a blogging feature...

tempfix (5, Informative)

Kise (2591127) | about a year and a half ago | (#42400739)

you could say create ".htaccess" file in the cache directory and put "deny from all" inside it without the quotes in the mean time until they issue fix for it

Re:tempfix (0)

Anonymous Coward | about a year and a half ago | (#42401779)

Isn't that, like, in the installation instructions?

I know the forum software I'm running (not Wordpress) has a cache directory, and it explicity states that you need to make sure that directory isn't accessable from the web, with instructions on how to secure it for various webservers.

Of course, who reads the README file these days.

Re:tempfix (2)

Pf0tzenpfritz (1402005) | about a year and a half ago | (#42402445)

You don't even need to do that. Let wp-supercache set up the rules for mod_rewrite as they are intended (or get your hoster to let you do so by p.e. installing mod_rewrite) and anyone trying to browse your plugin, includes or cache directory will get a nice 403 as a response. If that doesn't work your host or site is not really set up to run dynamic content. There's a little bit more to useful hosting than just installing PHP, Apache and MySQL...

Re:tempfix (not apache 2.4+) (1)

corychristison (951993) | about a year and a half ago | (#42403765)

If you use latest stable apache (and you should if you use SSL/TLS) those commands will raise an error.

You must use "Require all denied" if you don't have mod_access_compat installed & enabled.

No fucking shit (1, Insightful)

Legion303 (97901) | about a year and a half ago | (#42400747)

"Popular Wordpress Plugin Leaves Sensitive Data In the Open"

This happens at least twice a week. Don't use Wordpress. Or if you have to use Wordpress, lock it the fuck down and don't install plugins.

Re:No fucking shit (-1)

Anonymous Coward | about a year and a half ago | (#42401023)

RTFM. It's nothing to do with the plugin, it's shitty configuration of the web server. I have a server running a WP installation with W3TC and it doesn't exhibit this insecure behaviour. Many others have the same. It's user error not W3TC error iirc.

Re:No fucking shit (2)

X0563511 (793323) | about a year and a half ago | (#42401121)

Actually it has everything to do with the plugin not having proper defaults in it's installation.

There's no reason the plugin can't drop it's own .htaccess files and such.

Re:No fucking shit (0)

Anonymous Coward | about a year and a half ago | (#42401401)

Agreed.

Options -Indexes

Would solve the immediate issue.

Re:No fucking shit (0)

Anonymous Coward | about a year and a half ago | (#42401539)

Wrong if you read the article, disabling indexes doesn't completely fix the issue since the cache files in that dir have predictable names. "deny from all" does the trick

For people that have an nginx server, its slightly different than modifying the htaccess file, but still quite trivial.

WordPress plugin? (3, Funny)

Anonymous Coward | about a year and a half ago | (#42400837)

A wordpress plugin with security issues? Well, I never...

Password hashes? (2)

sound+vision (884283) | about a year and a half ago | (#42400899)

"The content of those directories could be downloaded, including directories containing sensitive data like password hashes"...

All the WordPress installations I've dealt with (quite a few, it's part of my job) had users' password hashes stored in a MySQL database. I wonder why the W3 plugin is writing them to the file system in the first place?

Re:Password hashes? (2)

solarissmoke (2470320) | about a year and a half ago | (#42400953)

It caches DB queries to disk to (ostensibly) enhance performance.

Some more examples (1)

solarissmoke (2470320) | about a year and a half ago | (#42400901)

I'm sure it's no surprise to anyone here, but there are plenty of other WordPress plugins that do the same thing. Some backup plugins [google.com] seem to be particularly good at this, giving you unrestricted access to entire DB backups which you can hack in your own time.

reply (-1)

Anonymous Coward | about a year and a half ago | (#42401033)

Shanghai Shunky Machinery Co.,ltd is a famous manufacturer of crushing and screening equipments in China. We provide our customers complete crushing plant, including cone crusher, jaw crusher, impact crusher, VSI sand making machine, mobile crusher and vibrating screen. What we provide is not just the high value-added products, but also the first class service team and problems solution suggestions. Our crushers are widely used in the fundamental construction projects. The complete crushing plants are exported to Russia, Mongolia, middle Asia, Africa and other regions around the world.
http://www.mcrushingplant.com
http://www.crusher007.com
http://www.sand-making-machine.com
http://www.china-impact-crusher.com
http://www.cnshunky.com
http://www.bestssj.com
http://www.shunkyen.com
http://www.crusheren.com
http://www.crusher02.com
http://www.portablecrusherplant.net
http://www.csconecrusher.com

We're STILL doing this? (2)

Qzukk (229616) | about a year and a half ago | (#42401063)

It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?

I specifically made a conscious decision to set up my very first PHP application to store uploaded files and configuration files in an inaccessible folder way back in 2002 specifically to avoid bullshit like that, which seems to me it must have had been going on for long enough that I knew better back then as a noob fresh out of college.

Re:We're STILL doing this? (2)

mysidia (191772) | about a year and a half ago | (#42401727)

It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?

For the same reason that people are still picking simple passwords. Because it's easy, and doing the right thing is less convenient.

Re:We're STILL doing this? (-1)

Anonymous Coward | about a year and a half ago | (#42401917)

If you knew better, you would choose something other than PHP.

Re:We're STILL doing this? (1)

bill_mcgonigle (4333) | about a year and a half ago | (#42403669)

just run 'chmod -R 777 ~' on your host - somehow this makes everything better!

Re:We're STILL doing this? (1)

Pope Raymond Lama (57277) | about a year and a half ago | (#42404113)

> It's (the end of) 2012, why the hell are people STILL putting their data stores in web-accessible directories below DocumentRoot?
Because PHP.

Link in TFA is hacked. :D (1)

caferace (442) | about a year and a half ago | (#42401561)

With a whole bunch of payday loan text spam at the top. Wonder what plugin caused that?

Re:Link in TFA is hacked. :D (0)

Anonymous Coward | about a year and a half ago | (#42403587)

Hah! Go figure

APC or Memcached (0)

Anonymous Coward | about a year and a half ago | (#42402029)

This really only applies if the user has it doing db caches in Disk mode.
If the server was worth anything they would have APC or memcached as an option which doesn't have the exploit and works better anyway.

Well, that's embarrassing... (5, Informative)

zx2c4 (716139) | about a year and a half ago | (#42402055)

Hi folks, I'm Jason, the guy who found this bug.

I feel kind of embarrassed this is on the front page. I like to think that I spend time doing cooler things [zx2c4.com] than reading PHP, let alone the source of random Wordpress plugins. My brother lives at the south pole and has a pretty damn cool blog about it [jeffreydonenfeld.com] (yay, more linkspam!), but the NASA satellite only flies overhead a few times a day, and bandwidth is pretty limited, so he asked me to help with some maintenance, and in the process I noticed this. But now the Intertubes have me pinned as a Wordpresser, alas. I guess that's just how it goes.

Anyway, my feeling on this is basically, to put it in /. terms -- "Random Wordpress plugin has gaping security hole... news at 11!" If you want a reasonably secure Wordpress rig, it's probably best to stick with plugins and themes put out by Automattic.

It wasn't mentioned in the linked article, so it's worth nothing here -- I think the best remediation, until W3 Edge releases a fix (he's on Christmas vacation now or something I think), is to either disable the plugin entirely, or, if that's not a possibility, just disable the object cache and database cache, and then empty all caches. Doing that should at least clear up this hole.

-- Jason

Re:Well, that's embarrassing... (0)

Anonymous Coward | about a year and a half ago | (#42402823)

Couldn't you just use memcached instead of the disk based caching mechanism?

Re:Well, that's embarrassing... (0)

Anonymous Coward | about a year and a half ago | (#42406329)

This. I'm running a fairly large (~75k pageviews/day) WP install on IIS no less using W3TC with a memcached backend. Considering it's WP on IIS (which is an INCREDIBLE dog, performance wise), it's pretty quick.

Re:Well, that's embarrassing... (1)

Kergan (780543) | about a year and a half ago | (#42402841)

I haven't used WP in a long time, so I don't know precisely what Total Cache does nowadays, but it seems to me that the security hole you disclosed would only ever apply if object and/or query caching is turned on with the disk used as the persistent store.

If so, I'd like to stress that this is a horrific setup which doesn't scale at all. The initial WP object caching implementation functioned precisely the same way in the WP core. It got disabled by default almost immediately because the high amount of disk I/O that it generated led a few hosts to shut down busy WP sites. It then got replaced by an object cache that uses a non-persistent in-memory store; and the latter can be upgraded to a persistent memcached-based store on busier sites, and this scales fine.

Imho, if more than a handful of sites are affected (which I doubt), you should suggest the plugin's author that he should prevent users from using such an inanely high amount of disk I/O in the first place, rather than suggesting him to bandaid that broken setup by adding htaccess files in relevant directories.

Re:Well, that's embarrassing... (0)

Anonymous Coward | about a year and a half ago | (#42403521)

Jason,

Just to note. This only affects users who have their dbcache/objectcache set to "Disk". I use APC to store this cache, and therefore you cannot get this information (as far as I know).

This might want to be also published so users know there is an alternative. Disk cache is the default behavior, so it will affect anyone using this plugin with default settings.

Ciao

Lol php (0)

thetoadwarrior (1268702) | about a year and a half ago | (#42402891)

That's what happens when you rely on the php community.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>