WP Super Cache is a full page caching plugin for WordPress that will speed up your website.
This is a security release and any users of the plugin should update as soon as possible. This release and the last 2 (1.3 and 1.3.1) address the following issues:
- A visitor to a website using WP Super Cache can remotely execute code by way of a specially crafted comment left on the blog. The comment may even be moderated and it will still cause a problem. If you allow untrusted user content on your site through other means it should also be filtered in a similar way. See the function
no_mfunc_in_commentsfor the existing filter. This will be mitigated in the next release by using a security keyword in the mfunc/mclude/dynamic-cached-content tag. - An XSS vulnerability was found in the plugins settings page of the plugin. This has been fixed as well.
The dynamic cached content features are now disabled by default as they should really have been a long time ago. This was announced in the Upgrade Notice of the previous release so hopefully site owners will be prepared for it. If you depend on this feature you can enable it again on the Advanced Settings page. I would encourage you to use Javascript instead for any dynamic features or use a short cache expiration time.
Support for the mobile theme in Jetpack has been added in this release by way of a helper plugin. If you enable this feature in Jetpack you should visit the Plugins tab of WP Super Cache and enable the Jetpack plugin there. Caching will be changed to PHP mode, and mobile device support enabled but you may have to manually remove the WP Super Cache mod_rewrite rules in the .htaccess at the root of your site.
I would like to thank WordPress.org user kisscsaby for finding the mfunc problem in WP Super Cache and W3 Total Cache and Frank Goossens for his help fixing it.
Edit: I should have stated this above. I did not know about the issue with mfunc until 3 weeks after kisscsaby posted it to a public forum. I don’t read every post on the support forum unfortunately and the user did not email me. I released version 1.3 within a day of hearing about the problem. Unfortunately the XSS vulnerability became known 24 hours after that requiring another release within 36 hours of the previous one. When it became clear that mfunc could be exploited still I released version 1.3.2
I’m leaning towards removing the mfunc/mclude/dynamic-cached-content feature completely. It’s only used by a tiny minority of users (who will be inconvenienced, sorry) but it’s dangerous code to have in the plugin.
Hi Donncha,
You may want to have a look at this comment stream http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
Has the code execution been removed completely for instance? 1 comment suggests that it is still there?
As I said above, if there are other ways for users to put untrusted content on your blog then this can be exploited, but only if “dynamic cached content” is enabled. If it’s turned off it can’t be exploited.
A comment on Reddit suggests that markdown will still allow the code to be executed on blogs that have this feature turned on unfortunately.
It’s something WP Super Cache inherited from WP Cache, but I never liked it or recommended using it. I’m strongly considering removing the feature completely.
I think you should remove it.
Agreed, I’m going to replace it with a filter that the user will use to search/replace their own secret template tags in the html code of the page.
I look after quite a few websites and have used the plugin on 20+ currently – (all updated) thanks for all you hard work on this.
More generally the security risks from plugins or other systems (cpanel) & Apache make it complicated to keep ahead of the security risks.
I would think – best to take out that inherited code – it has to be safer for everyone then.
Thanks for this update.
Does it ring a bell?
eval(base64_decode( redacted )); –>
I’ve completely replaced the eval() code. Here’s an example script that shows the current server time in a html comment.
The development version should update in the next 20 minutes or grab it from trunk if you’d like to play with it.
While it’s going to be a big change for users I think the example script will help a lot.
I feel little more improvement after current updation, it seems like website is performing well then before while using internet explorer…
Thanks,
Hello, after updating the plugin to the new version our site went completely blank and it says that the header in the php template cannot be reached or the request cannot be processed. Please help as it is a most urgent thing.
Take a look in your PHP error log for any errors and if you can’t fix it then uninstall the plugin. There are instructions here for if WordPress isn’t working:
http://wordpress.org/extend/plugins/wp-super-cache/other_notes/
Hi Donncha,
In a post on the WordPress forums you mentioned that the next version of Super Cache will remove mfunc entirely and you’ll be making a custom tag for dynamic caching.
Do you have any idea on a timescale as to when this release will be? Not to rush you or anything, I’m just curious to know so that I can plan my site release around it.
Thanks!
ransom1337 – I had hoped to release it this week but I haven’t had time to update the readme.txt or write a blog post suggesting how to migrate from using mfunc to the new filter. It’ll probably be nearer the end of next week but I would encourage you to use the development version of WP Super Cache and look at the test plugin included in it.
I just downloaded it and freaked out at the fact that I might screw something up. I’ll wait until the official release. Thanks for the quick response, though! It’s a wonder why the author of the W3TC plugin isn’t doing any dynamic stuff like this. Cheers.
No, W3TC support mfunc and mclude and that plugin had the same security issue. The latest version of that plugin adds a security code to the mfunc command that is required to execute any code.
I had thought about implementing a similar system but since it won’t be backwards compatible anyway, I think it’s better to use a filter and avoid using eval() completely.
Ah, okay so I gave it a shot anyway, and it seems as though the “Dynamic Cache Test” plugin is missing from the plugins section. Hope that helps you in your quest!
Edit the file dynamic-cache-test.php in the plugins directory and you’ll see all the code is commented out. I’ve just updated that file so you might want to grab the development version again in about 20 minutes.
It’s using a constant for the template tag now so users will have to come up with their own secret one.
Also, the plugin is always active once the code is uncommented and that constant defined. I didn’t bother with a nice UI to toggle it.
Haha, I’m a designer with no real PHP experience so I’m afraid to say I have no idea how to use this tag at all. I guess I’d best await the documentation! I hope it’s fool-proof 😛
Thanks for your help dude, I really appreciate the replies.
Official announcement of the new dynamic cache system here.