Context Navigation

← Previous Ticket
Next Ticket →

#1851 closed defect (bug) (fixed)

Cache exposes some user data

Reported by:	ringmaster	Owned by:
Milestone:		Priority:	normal
Severity:	critical	Version:	1.6
Component:	Administration	Keywords:	bg\|has-patch
Focuses:		Cc:

Description

Using the new cache system, some sensitive user data is easier to obtain than before.

Steps:

Guess a WordPress username (like "admin").
Obtain an MD5 hash of that username, call it XX.
Access a file named http://example.com/wp-content/cache/users/{XX}

The data exposed contains the database record for that user. At least, it exposes the user's email address. At worst, this could be used to reverse-engineer cookies that would allow enough access to change the password of that user.

Attached patch uses the database password to seed the hashes, making the filenames that contain this data more difficult to guess.

Consider adding .htaccess to the cache directory to prevent direct access/prevent directory browsing? Consider hashing the cache directory names to prevent directory guessing? Consider not caching user data?

Attachments (1)

cache.php.patch (968 bytes) - added by ringmaster 20 years ago.: Add a little salt.

Download all attachments as: .zip

Change History (3)

@ringmaster
20 years ago

Attachment cache.php.patch added

Add a little salt.

#1 @ryan
20 years ago

Also maybe put an index.php in the cache dirs.

#2 @ryan
20 years ago

Resolution set to fixed
Status changed from new to closed

(In [3017]) Obfuscate keys with some salt. Add empty index.php files to the cache dirs to prevent directory listings. Props to ringmaster. fixes #1851

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core