[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: W3 Total Cache - public cache exposure
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-12-30 3:35:23
Message-ID: 50DFB67B.6050707 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2012 04:45 AM, Jason A. Donenfeld wrote:
> On Sat, Dec 29, 2012 at 6:35 AM, Kurt Seifried
> <kseifried@redhat.com> wrote:
>> 
>> 
>> As I understand it this is more of an .htaccess type issue than
>> an actual issue with W3 total cache? Is this documented anywhere
>> in the W3 total cache documents?
>> 
> 
> W3 generates .htaccess files and sets up the directory structure
> and accesses. Nowhere is it documented that sysadmins should
> additionally modify the .htaccess files to protect the cache, and
> W3's own htaccess generation fails to protect it.

Please use CVE-2012-6077 for this issue.

>>> 2. Hash keys are easily predictable, in the case of (1) not 
>>> existing.
>> 
>> explanation/algorithm/?
>> 
> 
> Sure:
> 
> query_md5=md5("SELECT * FROM ${db_prefix}users WHERE ID = 
> '${user_id}'") key=md5("w3tc_${host}_${site_id}_sql_${query_md5}") 
> url=" 
> http://siteblabla/wp-content/w3tc/${key:0:1}/${key:1:1}/${key:2:1}/${key}"
>
>  "db_prefix" is by default "wp_", per wordpress config, and few
> people go in and change that. "user_id" is an integer. IDs start at
> 1 and increase for each added user. "site_id" is an integer that
> also starts at 1 and increases for each site used in multi-site
> wordpress. "host" is the hostname of the site. All of these values
> are known or guessable.

Please use CVE-2012-6078 for this issue.

>>> 3. Cached database values are downloadable by their hash keys
>>> on the public internet, exposing sensitive information like
>>> password hashes.
>> 
>> Do they need to be downloadable? That is to say can these hash
>> values be protected, or must they be exposed?
>> 
> 
> They _must_ be protected. They _must not_ be exposed or
> downloadable. The hash values are raw SQL query responses, so they
> contain things like password hashes. The cache is used only
> internally by the web application, and client browsers should never
> have any direct contact with this cache.

Please use CVE-2012-6079 for this issue.

Thanks for the explanations.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37Z7AAoJEBYNRVNeJnmT9wMQANakD23SI8oeDJyTAfpwTYju
i1yRsLUjEVDvpO1ydv5xZw6GKTLPVB/Hm732tAa90YSOjBQHCfrFlMtflCYvgw66
Ex++kTnLjdawh8BX9WGsCTFoiI4doYrBerSl/TmH6NwEo/fZP5fumeFaMdbUzXru
QgXok5CpQQK0DqiDZLLwt7lHBjnbY+pylb7ddybS0SUX3AAC7brfVkabGQM+ZWjH
hk7OQklJtG+oJbcj6+8tp65Kxp6hQsJPUGoLc7hu47HpidcnVT/KGYCX4huovZPv
wdz7yLsJgIxO4IDe0NuZKdqeEV9YKKs2blTEAj76zs8EaYUOKscnjDButZdW12NJ
FgXFr3ag43Li7Ro5tMUsbBq/hK2oJtysUJlwTZAlbGpEmMOtAS7CnoOtS55DzPOQ
4pXljZ/f+7GMNnFEIF18MeLZZPMD5VH5Xu/Vf54C1AaBx1A1JOAIVfoycI2ts/tP
c5ABAUNqkz43zn4Zwr6Edh58WJI1pgVy2/XwP1fGvUeaw/tUURvhVMQNKOiI6OfG
Qp0z36ac93Y3NXGnj71rHxYmIaRZI7yR9yTCYTR5dESlqXZLUlSbzf6Nz6djqS/Q
JR9JhxDaO1ysQ4+2ONBbcKxM/0U4Hg58SntsVxze03PmE5hYC9bF9UXaCDmEbInT
bYrJ9nl/lslPd2LHnLbs
=SO/W
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]