Title: [SECURITY FLAW] HTML code shows infrastructure specific data
Last modified: August 22, 2016

---

# [SECURITY FLAW] HTML code shows infrastructure specific data

 *  [Rick Mac gillis](https://wordpress.org/support/users/cozylife/)
 * (@cozylife)
 * [11 years, 5 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/)
 * Hackers look for various scraps of data to figure out the best attack vectors.
   One of the ways they do so is to examine the HTML source code especially for 
   comments. W3 Total Cache aids in allowing attackers to understand what type of
   caching is taking place in order to eliminate futile attack vectors.
 *     ```
       <!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/
   
       Page Caching using disk: enhanced
       Database Caching 2/10 queries in 0.002 seconds using disk
       Object Caching 1524/1531 objects using disk
   
        Served from: example.com @ 2015-01-07 15:07:56 by W3 Total Cache -->
       ```
   
 * What does this information tell an attacker?
    1. The website uses the W3 Total Cache plugin.
    2. The plugin is configured to use page caching, and it does so through the enhanced
       disk caching feature. The attacker should enable that feature on their testing
       rig if they wish to keep their activities more stealth while they examine what
       security reprecussions this may have.
    3. Database caching is turned on and the database contents is now stored on the
       same disk as the website is on. (Scary!) Now the attacker might be able to run
       arbitrary code somehow with `echo file_get_contents()` and they could gain access
       to any data that was once in the DB.
    4. 2/10 queries were cached to the database. (See above.)
    5. The caching ops took 0.002 seconds. A lengthy cache time could indicate a flaw
       in the server.
    6. Object caching is turned on. (See above.)
    7. 1524/1531 objects were cached. If the attacker examines the cache or poisons
       it, they could work their way through the system and perform a system takeover.
    8. The server reports the date that the cache was created. It could indicate when
       the attacker’s tools are now part of the system so that they know when to proceed
       with the next stage of their attack. It could also be used for other things,
       such as gauging how long the cache is valid for.
 * Marketing helps to keep businesses going, so it’s perfectly understandable that
   you include your advertisement in the free version. It’s better that the ad is
   in the HTML source instead of placing banners and other stuff on the site in 
   stead like other plugins may do.
 * Soliciting that the plugin exists on the system is still a security flaw, but
   it’s generally not such a problem, as attackers will try to aim their attacks
   more towards the core code of widely used projects such as WordPress, as they
   can always count on that code being present.
 * Higher profile sites are more susceptible to having their plugins known as the
   attacker will probably manually attack the site instead of using a bot to scan
   for vulnerable sites. In that case, a vulnerable plugin could give them leverage.
 * The other content, what’s being cached where, and for how long, should only be
   available to logged in administrators, not the end user. As an optimization system,
   you know that the less code, including comments, that the site sends to the browser,
   the smaller the file size.
 * Please make this change to enhance security and optimization. Thank you.
 * [https://wordpress.org/plugins/w3-total-cache/](https://wordpress.org/plugins/w3-total-cache/)

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Thread Starter [Rick Mac gillis](https://wordpress.org/support/users/cozylife/)
 * (@cozylife)
 * [11 years, 3 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/#post-5646483)
 * This plugin has yet to be updated to remove this security flaw. I also want to
   note that it’s setting the X-Powered-By header which also shows what technology
   the website is using.
 * `X-Powered-By: W3 Total Cache/0.9.4.1`
 *  [MadysonDesigns](https://wordpress.org/support/users/madysondesigns/)
 * (@madysondesigns)
 * [11 years, 3 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/#post-5646484)
 * This is a little weird, but you can disable it like so in functions.php or wherever:
   `//
   prevent W3 Total Cache from dumping comments in your footer` `add_filter( 'w3tc_can_print_comment',
   function( $w3tc_setting ) { return false; }, 10, 1 );`
 *  Thread Starter [Rick Mac gillis](https://wordpress.org/support/users/cozylife/)
 * (@cozylife)
 * [11 years, 3 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/#post-5646485)
 * Thank you. Hopefully they fix this issue soon.
 * Devs, check out OWASP’s security write-up on why having X-Powered by, and other
   identifying marks, are bad for security. Pretty much any hacker worth their name
   can identify a WP site manually, and probably even program their bots to easily
   identify one. However, the real issue here is that version numbers help people
   find CVE and NVD entries much more readily, and if that version has a known flaw,
   it’s bye-bye website.
 * [https://www.owasp.org/index.php/Fingerprint_Web_Application_%28OTG-INFO-009%29](https://www.owasp.org/index.php/Fingerprint_Web_Application_%28OTG-INFO-009%29)
 *  [AJ @ WpFASTER.org](https://wordpress.org/support/users/ajm_1976/)
 * (@ajm_1976)
 * [11 years, 3 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/#post-5646487)
 * Hi all,
 * The `X-Powered-By: W3 Total Cache/x.x.x.x` header can be disabled by un-ticking
   the “Set W3 Total Cache header” under the Browser Cache tab.
 * As far as the comments W3TC inserts, those can be removed via minifying HTML 
   with W3TC (it looks like you are minifying your site’s HTML with Autoptimize,
   Rick, which will not automatically remove W3TC’s comments). MadysonDesigns’ filter
   works too.
 * Best,
    AJ

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘[SECURITY FLAW] HTML code shows infrastructure specific data’ is closed
to new replies.

 * ![](https://ps.w.org/w3-total-cache/assets/icon-256x256.png?rev=1041806)
 * [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/w3-total-cache/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/w3-total-cache/)
 * [Active Topics](https://wordpress.org/support/plugin/w3-total-cache/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/w3-total-cache/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/w3-total-cache/reviews/)

## Tags

 * [comment](https://wordpress.org/support/topic-tag/comment/)
 * [html](https://wordpress.org/support/topic-tag/html/)

 * 4 replies
 * 3 participants
 * Last reply from: [AJ @ WpFASTER.org](https://wordpress.org/support/users/ajm_1976/)
 * Last activity: [11 years, 3 months ago](https://wordpress.org/support/topic/security-flaw-html-code-shows-infrastructure-specific-data/#post-5646487)
 * Status: not resolved