------------------------------------------------------------------------
Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the W3 Total Cache
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a URL provided by an attacker.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on W3 Total Cache version 0.9.4.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in W3 Total Cache [2] version 0.9.5.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The W3 Total Cache plugin is a WordPress Performance Optimization (WPO)
framework designed to improve user experience and page speed. A
Cross-Site Scripting vulnerability was found in the W3 Total Cache
plugin. This issue allows an attacker to perform a wide variety of
actions, such as stealing Administrators' session tokens, or performing
arbitrary actions on their behalf. In order to exploit this issue, the
attacker has to lure/force a logged on WordPress Administrator into
opening a URL provided by an attacker.

------------------------------------------------------------------------
Details finding
------------------------------------------------------------------------
The issue exists in the file inc/options/support/form.php and is caused
by the lack of output encoding on the request_id request parameter. The
vulnerable code is listed below.
<input type="hidden" name="request_type" value="<?php echo
$request_type; ?>" />
<input type="hidden" name="request_id" value="<?php echo $request_id;
?>" />
<input type="hidden" name="payment" value="<?php echo $payment; ?>" />

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------

Have an authenticated admin visit the URL:
http://<target>/wp-admin/admin.php?page=w3tc_support&request_type=bug_report&request_id="><script>alert('sumofpwn.nl');</script>A
pop-up box should appear, meaning the JavaScript contained in the
request_id request parameter was executed by the browser.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_vulnerability_in_w3_total_cache_plugin.html
[2] https://downloads.wordpress.org/plugin/w3-total-cache.0.9.5.zip