Default Configuration Flaw in W3 Total Cache Exposes Tens of Thousands of Sites

W3 Total Cache, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities, according to this post on the Full Disclosure list.

The default setup – that is, when users simply choose “add plugin” from the WordPress catalogue – left cache directory listings enabled, according to poster Jason Donenfield.

This, he said, allows database cache keys to be downloaded on vulnerable installations – and that could expose password hashes. “A simple google search of "inurl:wp-content/plugins/w3tc/dbcache" and maybe some other magic reveals this wasn't just an issue for me”, he writes.

Donenfield later amended the search term to “inurl:wp-content/w3tc”.

“Even with directory listings off,” he continues, “cache files are by default publicly downloadable, and the key values / file name of the database cache items are easily predictable.”

Donenfield says the developer of the plug-in intends to release a fix “soon”. In the meantime, he notes that “deny from all” should be set in the .htaccess file.