Re: CVE Request: W3 Total Cache - public cache exposure

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2012 04:45 AM, Jason A. Donenfeld wrote:
> On Sat, Dec 29, 2012 at 6:35 AM, Kurt Seifried
> <kseifried () redhat com> wrote:
> > As I understand it this is more of an .htaccess type issue than
> > an actual issue with W3 total cache? Is this documented anywhere
> > in the W3 total cache documents?
>
> W3 generates .htaccess files and sets up the directory structure
> and accesses. Nowhere is it documented that sysadmins should
> additionally modify the .htaccess files to protect the cache, and
> W3's own htaccess generation fails to protect it.

Please use CVE-2012-6077 for this issue.

> > > 2. Hash keys are easily predictable, in the case of (1) not 
> > > existing.
> >
> > explanation/algorithm/?
>
> Sure:
>
> query_md5=md5("SELECT * FROM ${db_prefix}users WHERE ID = 
> '${user_id}'") key=md5("w3tc_${host}_${site_id}_sql_${query_md5}") 
> url=" 
> http://siteblabla/wp-content/w3tc/${key:0:1}/${key:1:1}/${key:2:1}/${key}";
>
>  "db_prefix" is by default "wp_", per wordpress config, and few
> people go in and change that. "user_id" is an integer. IDs start at
> 1 and increase for each added user. "site_id" is an integer that
> also starts at 1 and increases for each site used in multi-site
> wordpress. "host" is the hostname of the site. All of these values
> are known or guessable.

Please use CVE-2012-6078 for this issue.

> > > 3. Cached database values are downloadable by their hash keys
> > > on the public internet, exposing sensitive information like
> > > password hashes.
> >
> > Do they need to be downloadable? That is to say can these hash
> > values be protected, or must they be exposed?
>
> They _must_ be protected. They _must not_ be exposed or
> downloadable. The hash values are raw SQL query responses, so they
> contain things like password hashes. The cache is used only
> internally by the web application, and client browsers should never
> have any direct contact with this cache.

Please use CVE-2012-6079 for this issue.

Thanks for the explanations.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37Z7AAoJEBYNRVNeJnmT9wMQANakD23SI8oeDJyTAfpwTYju
i1yRsLUjEVDvpO1ydv5xZw6GKTLPVB/Hm732tAa90YSOjBQHCfrFlMtflCYvgw66
Ex++kTnLjdawh8BX9WGsCTFoiI4doYrBerSl/TmH6NwEo/fZP5fumeFaMdbUzXru
QgXok5CpQQK0DqiDZLLwt7lHBjnbY+pylb7ddybS0SUX3AAC7brfVkabGQM+ZWjH
hk7OQklJtG+oJbcj6+8tp65Kxp6hQsJPUGoLc7hu47HpidcnVT/KGYCX4huovZPv
wdz7yLsJgIxO4IDe0NuZKdqeEV9YKKs2blTEAj76zs8EaYUOKscnjDButZdW12NJ
FgXFr3ag43Li7Ro5tMUsbBq/hK2oJtysUJlwTZAlbGpEmMOtAS7CnoOtS55DzPOQ
4pXljZ/f+7GMNnFEIF18MeLZZPMD5VH5Xu/Vf54C1AaBx1A1JOAIVfoycI2ts/tP
c5ABAUNqkz43zn4Zwr6Edh58WJI1pgVy2/XwP1fGvUeaw/tUURvhVMQNKOiI6OfG
Qp0z36ac93Y3NXGnj71rHxYmIaRZI7yR9yTCYTR5dESlqXZLUlSbzf6Nz6djqS/Q
JR9JhxDaO1ysQ4+2ONBbcKxM/0U4Hg58SntsVxze03PmE5hYC9bF9UXaCDmEbInT
bYrJ9nl/lslPd2LHnLbs
=SO/W
-----END PGP SIGNATURE-----