WordPress.org

Ready to get started?Download WordPress

Forums

W3 Total Cache
[resolved] Big security threat (8 posts)

  1. arleuein
    Member
    Posted 3 years ago #

    One of my (nice) readers have informed me that he was automatically logged as me (super admin) when he displayed a random page on my site. He could have made everything he wanted (create and delete posts, etc.)

    The "Page cache" option "Don't cache pages for logged in users" was turned off. When I reactivate it, the issue was fixed and my login isn't yet used by every visitor.

    But it isn't very good for the security, isn't it ?

    In French :

    Un de mes lecteurs m'a gentiment informé qu'en visitant mon site sur une page quelconque, il était automatiquement connecté avec mon compte (super admin) et avait accès à toutes les tâches d'administration.

    L'option "Désactiver la mise en cache pour les utilisateurs identifiés" était désactivée. Après sa réactivation, le problème a été résolu.

    Mais c'est plutôt inquiétant pour la sécurité de son blog, ce genre de découverte...

  2. extesy
    Member
    Posted 3 years ago #

    The author doesn't read this forum. Please use "contact support" form inside plugin configuration menu to tell him about this issue.

  3. arleuein
    Member
    Posted 3 years ago #

    Okay. Plugins developpers don't need to read this forum, and that is why W3 Total Cache is marked as "broken". I don't understand their mind.

  4. Dave
    Member
    Posted 3 years ago #

    I think Frederick does read here. Doesn't reply much mind you.

    But when you do go to the official site and click on support it brings you here. So one would presume this is where "free" support is found, as opposed to paid.

  5. Frederick Townes
    Member
    Plugin Author

    Posted 3 years ago #

    Free support is found here and in the plugin by submitting a bug submission form. This summer I have not had time for the forums. When you disable don't cache pages for logged users (which is checked by default), you will expose the authenticated data for URLs that public users also visit. There are cases where it doesn't matter that this occurs, that's why it's an option, however, it's enabled by default because it's best that someone decide to modify that behavior consciously and be aware of the implications.

  6. arleuein
    Member
    Posted 3 years ago #

    Ok, thanks for this explaination. Adding a warning message in the option label could be a good idea.

  7. Frederick Townes
    Member
    Plugin Author

    Posted 3 years ago #

    If you have better wording than the existing caption please advise.

  8. arleuein
    Member
    Posted 3 years ago #

    Users that have signed in to WordPress (e.g. administrators) will never view cached pages if enabled. Warning : disable this may cause some security issues (e.g. let visitors to be connected with your account). Disable it only if you know what you are doing !

    ---

    If you are looking for a french translation, I can try to do it ;-)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic