Over the past few days, I’ve read various posts regarding a security hole discovered in the popular W3 Total Cache plugin. According to a security bulletin published by Jason Donenfeld on Seclist.org, after installing the plugin from the WordPress plugin repository through the backend of WordPress, there are two avenues of attack left open.
1) Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password hashes. A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me. As W3 Total Cache already futzes with the .htaccess file, I see no reason for it not to add “Options -Indexes” to it upon installation. I haven’t read any W3 documentation, so it’s possible this is a known and documented misconfiguration, but maybe not.
2) Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that “deny from all” isn’t added to the .htaccess file. Maybe it’s documented somewhere that you should secure your directories, or maybe it isn’t; I’m not sure.
However, within the plugin’s support forums on WordPress.org, Otto suggested that until a fix is released, to check and see if you’re using “Disk: Basic” or “Disk: Enhanced” for database caching. If so, disable database caching and clear out those caches.