secuvera-SA-2014-01: Reflected XSS in W3 Total Cache

secuvera-SA-2014-01: Reflected XSS in W3 Total Cache

Affected Products
W3 Total Cache 0.9.4 (older releases have not been tested)

"The only WordPress Performance Optimization (WPO) framework; 
designed to improve user experience and page speed. (..)
W3 Total Cache improves the user experience of your site by 
increasing server performance, reducing the download times 
and providing transparent content delivery network (CDN) 
integration."

References
https://wordpress.org/plugins/w3-total-cache/
https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8724

Summary:
If the option "Page cache debug info" is enabled, W3 Total
Cache adds some HTML-Comments including the "Cache key" which
is the URL itself. The URL is just reflected without any output
encoding.

Effect:
An attacker could include clientside Scriptcode in a request,
which will be reflected by the application. Using some social
engineering an attacker would be able to compromise users of
the application.

Vulnerable Scripts:
Debug Function

Examples:
https://$victim/nothing--<script>alert("XSS")</script>

Solution:
Install bug fix release. Always make sure to disable debug function
in productive environments.

Disclosure Timeline:
2014/09/17 vendor contacted via https://www.w3-edge.com/contact/
2014/10/07 vendor reacted including a first patch preview
2014/10/14 notified vendor the patch does not address the issue
2014/10/24 vendor sent a second patch preview
2014/12/10 vendor published 0.9.4.1 release
2014/12/16 public disclosure

Credits:
Tobias Glemser, secuvera GmbH
[email protected]
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.