Matthew Cohen, MSW

Matthew Cohen, MSW

Social Justice Solutions | Staff Writer
TwitterFacebook Facebook Google linkedin web

Security Fix For W3 Total Cache Released

SJS recently reported that W3 Total Cache WordPress Plugin could potentially leave sensitive data vulnerable. Frederick Townes of W3 Cache was kind enough to leave a comment explaining how to fix the vulnerability with an updated version of W3 Cache now available on WordPress.com

 

For those of you that use W3 Total Cache to make your sites more performant, thank you. Security issues are always of paramount interest, no matter the scope.

The root of the possible vulnerability lies in the intersection of two configuration settings, one at the Web Server level and the other at the W3 Total Cache database caching level. You may be vulnerable if the following are true: your server is configured to allow directory listing with enabled public access on W3TC’s database caching directories and also use database caching via the disk caching method. These settings would allow a hacker to break the md5 hashing used for the then publicly accessible cached database objects. The manner, extent and timing of the vulnerability’s report leave much to be desired; nonetheless, the versions have now been patched on wordpress.org. Thanks to those that offered remediation advice. I’m sorry for the delay in turning this around, none of the proposed solutions were satisfactory.
The hotfix (tested with WordPress version 3.5) will help those who are just now upgrading to 0.9.2.4 or are otherwise getting started with W3 Total Cache. Specifically, the hash logic is improved via wp_hash(), significantly stronger than the previous md5 hashing at the compromise of a bit of speed. I’ve also made sure that a web server’s lack of security around directory listings and the standard file structure of W3TC’s hashing logic are no longer of consequence for those attempting to download them from your server.For those who are using database caching to disk already, please be sure to disable directory indexing and deny web access to the “wp-content/w3tc/dbcache/” directory in your web configuration, then empty the database cache for good measure. Or, simply deactivate W3 Total Cache, uninstall it, and re-install it via

Advertisement

wordpress.org to have the hotfix applied upon re-activation. Again, empty the database cache for good measure. Your settings will not be lost during this process. If all of this is gibberish to you, then simply disable database caching to disk until the next release or use another method if available. Once again, empty the database cache using the button of the same name available on the database caching settings tab.If you’re reading this and have seen a post about the issue that does not have this response on it, please do post this for me. Thanks in advance. Happy Holidays.

 

We appreciate the speedy response, Kudos to W3 Total Cache for fixing the issue and making their users a priority.

 

Advertisement

Latest Posts

2587491371_3f51178957_trauma
Different explanations have been given for the increased number of people suffering from mental illness. Some have claimed the increase is the result of ever-expanding diagnostic criteria and syndromes that
Read More
offended
“I’m offended” is probably the most overused sentiment that I have come across in recent years. Of course, the underlying statement is really “I’m entitled,” and has little to do
Read More
15867683575_670a1ec196_children
I appreciated reading this blog post in the Huffington Post written by Mirah Riben, who has researched and written extensively about adoption for many years. All too often, adopted people are seen as “lucky” or “chosen.” Sometimes these comments are genuinely felt (if misguided) by the one bestowing said comment (who was probably not adopted), and sometimes they were an attempt to sugarcoat the realities of what it’s like to be adopted. Some people would tell me how lucky my daughter Casey was to be spirited out of a Polish orphanage to live a privileged life in Marin County, CA. I’d recoil at their suggestion. But I was certainly guilty of the later, trying to make Casey feel included without realizing how...
Read More
3989561028_025ce84e8f_adoption
It’s somehow fitting that this story – about the pending deportation of yet another American who was adopted into his family – is occurring during the 50th Anniversary of the Selma march. I’m not suggesting the two are exactly analogous. I am pointing out that there are many ...
Read More
5d7e8c449fd198a2_640_unity
Mildred “Mit” Joyner has thrown her hat into the ring seeking the vice presidency of the National Association of Social Workers (NASW).  The former president and board chair of the Council on Social Work Education (CSWE) recently retired from academia after a distinguished 25-year career at West Chester University in ...
Read More
13904683539_436db91849_house
"Dr. Crowley described the severity of the affordable housing shortage in America. She stated that nationally there are 10.3 million extremely low income renter households"
Read More
wounds of the father
Girls with childhoods like mine don’t live long and they don’t grow up to become doctors. They die young and if they happen to stay alive, they end up in
Read More
867e39207efb7206_640_new-york-city
Candice Odgers, Duke University One of New York City’s newest luxury apartment buildings recently started accepting applications for low-income renters who will use a controversial “poor door”
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *