W3 Total Cache 0.9.4 Cross Site Scripting

2014.12.18
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

secuvera-SA-2014-01: Reflected XSS in W3 Total Cache Affected Products W3 Total Cache 0.9.4 (older releases have not been tested) "The only WordPress Performance Optimization (WPO) framework; designed to improve user experience and page speed. (..) W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration." References https://wordpress.org/plugins/w3-total-cache/ https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8724 Summary: If the option "Page cache debug info" is enabled, W3 Total Cache adds some HTML-Comments including the "Cache key" which is the URL itself. The URL is just reflected without any output encoding. Effect: An attacker could include clientside Scriptcode in a request, which will be reflected by the application. Using some social engineering an attacker would be able to compromise users of the application. Vulnerable Scripts: Debug Function Examples: https://$victim/nothing--<script>alert("XSS")</script> Solution: Install bug fix release. Always make sure to disable debug function in productive environments. Disclosure Timeline: 2014/09/17 vendor contacted via https://www.w3-edge.com/contact/ 2014/10/07 vendor reacted including a first patch preview 2014/10/14 notified vendor the patch does not address the issue 2014/10/24 vendor sent a second patch preview 2014/12/10 vendor published 0.9.4.1 release 2014/12/16 public disclosure Credits: Tobias Glemser, secuvera GmbH tglemser@secuvera.de https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.

References:

https://wordpress.org/plugins/w3-total-cache/
https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8724


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top