W3 Total Cache 0.9.2.8 Remote Code Exec

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there any way to get the WordPress community involved in actually
handling security issues properly? E.g. requesting CVE's, or heck,
I'll settle for being notified via email directly. I found out about
this stuff on Reddit (linked to Tony Perez's blog posting) so I read
the code and voila:

http://wordpress.org/extend/plugins/w3-total-cache/

+* Improved security for mfunc, now disabled by default and requires
security string in order to execute

+        if (!defined('W3TC_DYNAMIC_SECURITY'))
+            return;
+        $buffer = preg_replace_callback('~<!--\s*mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '(.*)-->(.*)<!--\s*/mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '\s*-->~Uis', array(

Please use CVE-2013-2010 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReCibAAoJEBYNRVNeJnmTVJYP/1kkvewSW9TCa+4j7fg+1YOG
YD3noZd9vttAkJBhR7y30Wi4/16WwtMHfrmTVxRjh7o6ZSv2fvZMZI0GrICdWIFE
pLStD6eKe8eIumV/1iAVL5514Qm50oJ/ZcCGVTmfz7Isf8df1s5Udz6VMqLIZpjG
nosnQfSyOr7rcycmGPbXdTMguCczrj4aRPLOcH5PdY1T9JCiJar/2UmqWYZw2M0U
fA1BE38++tDYmSNi7XoLkfpUt6Z7Bk19QzGCDBBpqY7aWefo4UWEQ9Amx3mj6TCL
gFv5F9n763UeEzXRYHu2gawF+eXfW21Iz+EzsSyP/UvNqqfYe+/oaieb7yh8Iqq2
icrXAhCe/5gbyx2DG98ldoE7Zj1CEsN1Wqmc+3SHWGoBI3el/TG6iCRBZeGk/Vje
xG2U0wwXvO7jInaurLt7SsK5MKU2ALh/22MhX8t+1wsuOtC20FKTh5F9TCThmtxu
evYMi+tyEcNvNE2E9F52VK5t+/QGWMeXVS8lH2y3nw02a3Vv9hUvQz1JwQ2dZQNr
hEsBZBDR15TAt+umbEDUSobDtB8xX+NT9rZ6F7dAkJ8O3kTB5ZQRAcpAL7kdWYOL
pv14kiwJFXEV3JWYRhU1FKti99QHWVgP4iR2a9wThJ8WSNhkQGzusv4fz8xarpgl
vEyGkNH3sBenzVmbbxQj
=h+jS
-----END PGP SIGNATURE-----