Wordpress W3 Total Cache 0.9.2.8 Remote Code Exec

2013-04-24 / 2013-05-01

Credit: Kurt Seifried

Risk: High

Local: No

Remote: Yes

CVE: CVE-2013-2010

CWE: CWE-74

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Is there any way to get the WordPress community involved in actually
handling security issues properly? E.g. requesting CVE's, or heck,
I'll settle for being notified via email directly. I found out about
this stuff on Reddit (linked to Tony Perez's blog posting) so I read
the code and voila:

http://wordpress.org/extend/plugins/w3-total-cache/

+* Improved security for mfunc, now disabled by default and requires
security string in order to execute

+        if (!defined('W3TC_DYNAMIC_SECURITY'))
+            return;
+        $buffer = preg_replace_callback('~<!--\s*mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '(.*)-->(.*)<!--\s*/mfunc\s*' .
W3TC_DYNAMIC_SECURITY . '\s*-->~Uis', array(

Please use CVE-2013-2010 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)

References:

http://seclists.org/oss-sec/2013/q2/172

http://cxsecurity.com/issue/WLB-2013050003

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress W3 Total Cache 0.9.2.8 Remote Code Exec

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.