Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 29 Dec 2012 20:35:23 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Jason A. Donenfeld" <Jason@...c4.com>,
        Frederick Townes <ftownes@...edge.com>
Subject: Re: CVE Request: W3 Total Cache - public cache exposure

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/29/2012 04:45 AM, Jason A. Donenfeld wrote:
> On Sat, Dec 29, 2012 at 6:35 AM, Kurt Seifried
> <kseifried@...hat.com> wrote:
>> 
>> 
>> As I understand it this is more of an .htaccess type issue than
>> an actual issue with W3 total cache? Is this documented anywhere
>> in the W3 total cache documents?
>> 
> 
> W3 generates .htaccess files and sets up the directory structure
> and accesses. Nowhere is it documented that sysadmins should
> additionally modify the .htaccess files to protect the cache, and
> W3's own htaccess generation fails to protect it.

Please use CVE-2012-6077 for this issue.

>>> 2. Hash keys are easily predictable, in the case of (1) not 
>>> existing.
>> 
>> explanation/algorithm/?
>> 
> 
> Sure:
> 
> query_md5=md5("SELECT * FROM ${db_prefix}users WHERE ID = 
> '${user_id}'") key=md5("w3tc_${host}_${site_id}_sql_${query_md5}") 
> url=" 
> http://siteblabla/wp-content/w3tc/${key:0:1}/${key:1:1}/${key:2:1}/${key}"
>
>  "db_prefix" is by default "wp_", per wordpress config, and few
> people go in and change that. "user_id" is an integer. IDs start at
> 1 and increase for each added user. "site_id" is an integer that
> also starts at 1 and increases for each site used in multi-site
> wordpress. "host" is the hostname of the site. All of these values
> are known or guessable.

Please use CVE-2012-6078 for this issue.

>>> 3. Cached database values are downloadable by their hash keys
>>> on the public internet, exposing sensitive information like
>>> password hashes.
>> 
>> Do they need to be downloadable? That is to say can these hash
>> values be protected, or must they be exposed?
>> 
> 
> They _must_ be protected. They _must not_ be exposed or
> downloadable. The hash values are raw SQL query responses, so they
> contain things like password hashes. The cache is used only
> internally by the web application, and client browsers should never
> have any direct contact with this cache.

Please use CVE-2012-6079 for this issue.

Thanks for the explanations.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ37Z7AAoJEBYNRVNeJnmT9wMQANakD23SI8oeDJyTAfpwTYju
i1yRsLUjEVDvpO1ydv5xZw6GKTLPVB/Hm732tAa90YSOjBQHCfrFlMtflCYvgw66
Ex++kTnLjdawh8BX9WGsCTFoiI4doYrBerSl/TmH6NwEo/fZP5fumeFaMdbUzXru
QgXok5CpQQK0DqiDZLLwt7lHBjnbY+pylb7ddybS0SUX3AAC7brfVkabGQM+ZWjH
hk7OQklJtG+oJbcj6+8tp65Kxp6hQsJPUGoLc7hu47HpidcnVT/KGYCX4huovZPv
wdz7yLsJgIxO4IDe0NuZKdqeEV9YKKs2blTEAj76zs8EaYUOKscnjDButZdW12NJ
FgXFr3ag43Li7Ro5tMUsbBq/hK2oJtysUJlwTZAlbGpEmMOtAS7CnoOtS55DzPOQ
4pXljZ/f+7GMNnFEIF18MeLZZPMD5VH5Xu/Vf54C1AaBx1A1JOAIVfoycI2ts/tP
c5ABAUNqkz43zn4Zwr6Edh58WJI1pgVy2/XwP1fGvUeaw/tUURvhVMQNKOiI6OfG
Qp0z36ac93Y3NXGnj71rHxYmIaRZI7yR9yTCYTR5dESlqXZLUlSbzf6Nz6djqS/Q
JR9JhxDaO1ysQ4+2ONBbcKxM/0U4Hg58SntsVxze03PmE5hYC9bF9UXaCDmEbInT
bYrJ9nl/lslPd2LHnLbs
=SO/W
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.