Dear wp-super-cache/w3-total-cache developers,
As you may be aware worpress allows some html in comments including html comments. With wp-super-cache or w3-total-cache installed php code, by design, is allowed in comments too. Not to mention a relatively harmless XSS bug (or feature, depends on who you ask) is elevated into server side code execution.
The following examples work with wp-super-cache and w3-total-cache, all you need to do is post a comment with:
- to display time and date:
<!--mfunc eval(base64_decode( redacted )); --><!--/mfunc-->
- php shell/backdoor upload:
<!--mfunc eval(base64_decode( also redacted, see a trend here ;) )); --><!--/mfunc-->
the shell will eval($_POST["e"]) and can be accessed at: http://path/to/blog/wp-content/redacted
I suggest you remove the mfunc/mclude features entirely, it's way too hazardous to parse and execute the output.
Below you'll find the same proof of concept examples escaped with base64:
[ Just plain deleted ]