Detailed attack flow: Unpatched Ferrari Website Plugin Exposes Database Credentials
Take action: Security by obscurity doesn't work. Never think that a vulnerability can't be exploited because an attacker can't guess other elements of your system. An attacker has all the time in the world to try out various common-sense options until they breach you.
Learn More
A critical flaw was discovered unpatched in Ferrari's CMS, leading to an arbitrary file read vulnerability and exposure of database credentials. The vulnerability specifically affected the media.ferrari.com subdomain, which was utilizing an outdated version of the WordPress plugin W3 Total Cache.
Analysis with revealed that Ferrari was using an outdated version (0.9.3) of the W3 Total Cache plugin which is vulnerable to CVE-2019-6715 - versions prior to 0.9.4 of W3 Total Cache were susceptible to an unauthenticated arbitrary file read vulnerability.
Attack flow:
- Exploiting this vulnerability required locating the wp-config.php file on the server. The research team determined that Ferrari was running on Ubuntu 14.04.5 LTS, as confirmed by examining the /etc/issue file.
- The HTTP server was identified as Apache by sending a request to /etc/apache2/apache.conf, which loaded the Apache configuration file.
- The virtual-host configuration file, named media.ferrari.com, was found at /etc/apache2/sites-enabled/media.ferrari.com, after making educated guesses.
- To discover the DocumentRoot path serving the WordPress files, a cURL request was sent to the virtual-host configuration file, revealing the path.
- The wp-config.php file was then located at /home/web/mediaferrari/wp-config.php, which contained sensitive information such as database details and keys.
The vulnerability was responsibly disclosed to Ferrari through their Responsible Disclosure Program, prompting their security team to promptly address and resolve the issue.
