LiteSpeed Cache bug leaks cookies through debug log, exposing WordPress sites account takeover attacks
Take action: Logging cookies or passwords in the application or debug log is a common mistake, and a terrible one - it exposes all credentials for exploit by at least disgruntled employees, and if the logs can leak - like in LiteSpeed - anyone. Patch your Litespeed plugin ASAP, remove old debug logs and lock down debug log access. Don't delay.
Learn More
A critical vulnerability has been discovered in the LiteSpeed Cache plugin, which is used by over 6 million WordPress websites to enhance performance by caching content.
The vulnerability, tracked as CVE-2024-44000 (CVSS score varies from 7.5 to 9.8), is classified as an unauthenticated account takeover flaw.
The vulnerability stems from the plugin's debug logging feature, which logs all HTTP response headers, including the "Set-Cookie" header, into a file when enabled. Since these headers contain session cookies used to authenticate users, an attacker could exploit this flaw to impersonate an admin user and gain complete control of the affected site.
To exploit the vulnerability, an attacker needs to access the debug log file located at '/wp-content/debug.log'. If the file access restrictions (such as .htaccess rules) are not properly configured, the attacker can access this file by entering the correct URL. The risk increases if the debug feature has been activated previously and the logs have not been cleared, as even past login events could have been recorded.
The flaw was discovered by Patchstack security researcher. LiteSpeed Technologies addressed the problem in version 6.5.0.1 of the plugin by implementing several changes:
- Relocated Debug Log File: Moved the debug log file to a dedicated folder at '/wp-content/litespeed/debug/'.
- Randomized Log Filenames: Assigned random strings for log filenames, which consist of a substring of the MD5 hash value of the AUTH_KEY.
- Removed Cookie Logging: Disabled the option to log cookies in the debug log.
- Stripped Cookies from Headers: Removed any cookies-related information from the HTTP response headers.
- Added a Dummy Index File: Placed a dummy index.php file inside the new debug directory to prevent directory listing.
Users of the LiteSpeed Cache plugin are strongly advised to patch their plugin, remove all old debug.log files from their servers to eliminate potentially compromised session cookies and set appropriate .htaccess rules to prevent direct access to the log files, even with the new randomized names, as they could still be guessed through brute-force attempts.
