Thanks for sending this out. The Securi folks have a good summary of this issue here:
It appears that the vulnerability is harder to find, but still present when directory listing is disabled. The recommended fix at this point is using the line "deny from all" in a .htaccess file in the wp-content/w3tc directory.
Assuming your web server is running Apache...
- Create a new plain text file named .htaccess (don't' forget the period at the beginning)
- Place the words (without quotes) "Order Deny,Allow" on the first line and then "Deny from all" on the second line of the text file
- Upload the file to your wp-content/w3tc directory
- This will prevent anyone from accessing your cache directory through a web browser
Just disabling the plugin by itself may not help; you would also need to make sure the cache files were deleted.
On Dec 27, 2012, at 12:16 PM, eve lurie <[address removed]> wrote:
a co-worker has sent me this.
should i remove the plugin?
"A security researcher is warning WordPress users that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search. The researcher, Jason A. Donenfeld, who uses the handle 'zx2c4' posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote. W3 Total Cache is described as a 'performance framework' that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."
All the best,
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by eve lurie ([address removed]) from The East Bay WordPress Meetup Group.
To learn more about eve lurie, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages
Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]