W3 Total Cache <= 0.9.4.1 – Unauthenticated Security Token Bypass

2016-09-26T00:00:00
ID WPEX-ID:3B66BD46-B266-4F3B-AE74-823586E73EBD
Type wpexploit
Reporter SecuPress
Modified 2019-11-01T09:32:59

Description

The /pub/apc.php file is used to empty the OPCache/APC. The script seems protected by a nonce (aka security token): ** $nonce = W3_Request::get_string('nonce'); $uri = $_SERVER['REQUEST_URI']; if (wp_hash($uri) == $nonce) { *** But the flaw stays in the == operator which is not the one to use when you want to compare hashes because of php type juggling. You can find an example of type juggling on https://3v4l.org/tT4l8 To exploit the vulnerability, the token has to start with 0e and all other chars have to be numbers, then the user can just add a param in the url like ?nonce=0 and it will be validated.

                                        
                                            http://example.com/wp-content/plugins/w3-total-cache/pub/apc.php?nonce=0&command=reload_files