It appears you have not yet registered with our community. To register please click here...

 
Go Back [M] > Madshrimps > WebNews
Flawed Wordpress plug-in exposes users Flawed Wordpress plug-in exposes users
FAQ Members List Calendar Search Today's Posts Mark Forums Read


Flawed Wordpress plug-in exposes users
Reply
 
Thread Tools
Old 28th December 2012, 08:14   #1
[M] Reviewer
 
Stefan Mileschin's Avatar
 
Join Date: May 2010
Location: Romania
Posts: 153,446
Stefan Mileschin Freshly Registered
Default Flawed Wordpress plug-in exposes users

An insecurity expert has warned that a popular plugin for Wordpress may expose all the personal information on their bog to a Google search.

Jason Donenfeld said that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes.

W3 Total Cache speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, and downloads. It has more than 1.39 million users and can be seen in many sites like mashable.com and smashingmagazine.com.

Donenfeld found that W3 Total Cache from within WordPress leaves potentially sensitive data exposed. For example a cache directory listing feature is enabled on the cache directory, which stores cached content and anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes.

Exposed cache directories are also discoverable using a Google search. Even if you switch the directory listings off, cache files are still publicly downloadable by default with W3 Total Cache. All a hacker would need to know the key values and file names of the cache items, which Donenfeld claims is not exactly rocket science.

His proof of concept software has found a number of interesting directories including Triton Submarines, and the Family Policy Network, a US based conservative Christian group that says its mission is to confront "immorality" in the public square and educate Christians "on important moral issues in public and corporate policy."

In a subsequent post on Full Disclosure, he said that W3 Edge, the company that makes W3 Total Cache, plans an update to correct the problems he had identified.

http://news.techeye.net/security/fla...-exposes-users
Stefan Mileschin is offline   Reply With Quote
Reply


Similar Threads
Thread Thread Starter Forum Replies Last Post
EFF gets $500k from donors to fight flawed patent system Stefan Mileschin WebNews 0 20th December 2012 11:10
WordPress goes ad-free for a fee Stefan Mileschin WebNews 0 19th November 2012 08:13
How to center two images in WordPress @ OCmodshop Stefan Mileschin WebNews 0 15th October 2012 09:14
UltraTek Flipper USB plug lets you plug it in any way you choose jmke WebNews 0 14th July 2010 17:38
DDR3-2000+ Memory Kits - Fast but Flawed jmke WebNews 0 8th July 2009 14:29
Flawed AMD Opteron Chip Can Lead To Data Corruption jmke WebNews 0 29th April 2006 11:05
Microsoft: Windows patch is flawed Sidney WebNews 0 31st March 2005 19:01

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT +1. The time now is 01:06.


Powered by vBulletin® - Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
SEO by vBSEO