| Thread Tools |
28th December 2012, 08:14 | #1 |
[M] Reviewer Join Date: May 2010 Location: Romania
Posts: 153,446
| Flawed Wordpress plug-in exposes users An insecurity expert has warned that a popular plugin for Wordpress may expose all the personal information on their bog to a Google search. Jason Donenfeld said that many WordPress users that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes. W3 Total Cache speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, and downloads. It has more than 1.39 million users and can be seen in many sites like mashable.com and smashingmagazine.com. Donenfeld found that W3 Total Cache from within WordPress leaves potentially sensitive data exposed. For example a cache directory listing feature is enabled on the cache directory, which stores cached content and anyone could easily recursively download all the database cache keys and extract ones containing sensitive information, such as password hashes. Exposed cache directories are also discoverable using a Google search. Even if you switch the directory listings off, cache files are still publicly downloadable by default with W3 Total Cache. All a hacker would need to know the key values and file names of the cache items, which Donenfeld claims is not exactly rocket science. His proof of concept software has found a number of interesting directories including Triton Submarines, and the Family Policy Network, a US based conservative Christian group that says its mission is to confront "immorality" in the public square and educate Christians "on important moral issues in public and corporate policy." In a subsequent post on Full Disclosure, he said that W3 Edge, the company that makes W3 Total Cache, plans an update to correct the problems he had identified. http://news.techeye.net/security/fla...-exposes-users |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
EFF gets $500k from donors to fight flawed patent system | Stefan Mileschin | WebNews | 0 | 20th December 2012 11:10 |
WordPress goes ad-free for a fee | Stefan Mileschin | WebNews | 0 | 19th November 2012 08:13 |
How to center two images in WordPress @ OCmodshop | Stefan Mileschin | WebNews | 0 | 15th October 2012 09:14 |
UltraTek Flipper USB plug lets you plug it in any way you choose | jmke | WebNews | 0 | 14th July 2010 17:38 |
DDR3-2000+ Memory Kits - Fast but Flawed | jmke | WebNews | 0 | 8th July 2009 14:29 |
Flawed AMD Opteron Chip Can Lead To Data Corruption | jmke | WebNews | 0 | 29th April 2006 11:05 |
Microsoft: Windows patch is flawed | Sidney | WebNews | 0 | 31st March 2005 19:01 |
Thread Tools | |
| |