W3 Total Cache 0.9.4 Cross Site Scripting

2014-12-17T00:00:00
ID PACKETSTORM:129626
Type packetstorm
Reporter Tobias Glemser
Modified 2014-12-17T00:00:00

Description

                                        
                                            `secuvera-SA-2014-01: Reflected XSS in W3 Total Cache  
  
Affected Products  
W3 Total Cache 0.9.4 (older releases have not been tested)  
  
"The only WordPress Performance Optimization (WPO) framework;   
designed to improve user experience and page speed. (..)  
W3 Total Cache improves the user experience of your site by   
increasing server performance, reducing the download times   
and providing transparent content delivery network (CDN)   
integration."  
  
References  
https://wordpress.org/plugins/w3-total-cache/  
https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8724  
  
Summary:  
If the option "Page cache debug info" is enabled, W3 Total   
Cache adds some HTML-Comments including the "Cache key" which   
is the URL itself. The URL is just reflected without any output   
encoding.  
  
Effect:  
An attacker could include clientside Scriptcode in a request,   
which will be reflected by the application. Using some social   
engineering an attacker would be able to compromise users of   
the application.  
  
Vulnerable Scripts:  
Debug Function  
  
Examples:  
https://$victim/nothing--<script>alert("XSS")</script>  
  
Solution:  
Install bug fix release. Always make sure to disable debug function   
in productive environments.  
  
Disclosure Timeline:  
2014/09/17 vendor contacted via https://www.w3-edge.com/contact/  
2014/10/07 vendor reacted including a first patch preview  
2014/10/14 notified vendor the patch does not address the issue  
2014/10/24 vendor sent a second patch preview   
2014/12/10 vendor published 0.9.4.1 release  
2014/12/16 public disclosure  
  
Credits:  
Tobias Glemser, secuvera GmbH  
tglemser@secuvera.de  
https://www.secuvera.de  
  
Disclaimer:  
All information is provided without warranty. The intent is to   
provide information to secure infrastructure and/or systems, not  
to be able to attack or damage. Therefore secuvera shall   
not be liable for any direct or indirect damages that might be   
caused by using this information.  
`