W3 Total Cache <= – Unauthenticated Security Token Bypass

ID WPEX-ID:3B66BD46-B266-4F3B-AE74-823586E73EBD
Type wpexploit
Reporter SecuPress
Modified 2019-11-01T09:32:59


The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token): ** $nonce = W3_Request::get_string('nonce'); $uri = $_SERVER['REQUEST_URI']; if (wp_hash($uri) == $nonce) { *** But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling. You can find an example of type juggling on https://3v4l.org/tT4l8 To exploit the vulnerability, the token has to start with 0e and all other chars have to be numbers, then the user can just add a param in the url like ?nonce=0 and it will be validated.