WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: W3 Total Cache] Security Alert (3 posts)

  1. chris_foster
    Member
    Posted 4 years ago #

    I really want to like this plugin, but it's certainly not ready to be installed on a NGinx system.

    I went to log into the admin console of one of my blogs today and I got a very rude shock. An error message that revealed my servers MySQL Admin username and password !

    Here is what was displayed:

    #0 W3_Config->instance() called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:82]
    #1 W3_Db->__construct(MySQL_Database_AdminAccount, AdminAccount_Password, Database_Name, localhost) called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:360]
    #2 W3_Db::instance() called at [/home/public_html/secretblogurl.com/public/wp-content/db.php:13]
    #3 require_once(/home/public_html/secretblogurl.com/public/wp-content/db.php) called at [/home/public_html/secretblogurl.com/public/wp-includes/functions.php:2770]
    #4 require_wp_db() called at [/home/public_html/secretblogurl.com/public/wp-settings.php:250]
    #5 require_once(/home/public_html/secretblogurl.com/public/wp-settings.php) called at [/home/public_html/secretblogurl.com/public/wp-config.php:76]
    #6 require_once(/home/public_html/secretblogurl.com/public/wp-config.php) called at [/home/public_html/secretblogurl.com/public/wp-load.php:30]
    #7 require_once(/home/public_html/secretblogurl.com/public/wp-load.php) called at [/home/public_html/secretblogurl.com/public/wp-admin/admin.php:20]
    #8 require_once(/home/public_html/secretblogurl.com/public/wp-admin/admin.php) called at [/home/public_html/secretblogurl.com/public/wp-admin/index.php:10] W3 Total Cache Error: Unable to read config file or it is broken. Please create /home/public_html/secretblogurl.com/public/wp-content/w3-total-cache-config.php from /home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/w3-total-cache-config-default.php.

    http://wordpress.org/extend/plugins/w3-total-cache/

  2. Frederick Townes
    Member
    Posted 4 years ago #

    Chris, which PHP modules do you have installed? The only error the plugin itself provides is:

    W3 Total Cache Error: Unable to read config file or it is broken. Please create /home/public_html/secretblogurl.com/public/wp-content/w3-total-cache-config.php from /home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/w3-total-cache-config-default.php.

    Are you running a plugin like xdebug or anything else that provides a stack trace?

    You may be thinking that the following indicates a security flaw in the plugin itself:

    #1 W3_Db->__construct(MySQL_Database_AdminAccount, AdminAccount_Password, Database_Name, localhost) called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:360]

    However please note that wpdb::__construct (which is used) also has the same arguments, which as you probably know is part of the WordPress core.

  3. chris_foster
    Member
    Posted 4 years ago #

    Hi,

    All I know is that when I deleted your plugin via SSH, I was then able to login.

    Other plugins installed were:

    DISQUS Comment System
    Facebook Connect
    Google XML Sitemaps
    Lijit Search
    nginx Compatibility (PHP5)
    Paypal API Subscriptions
    Series
    SocioFluid
    Thesis OpenHook
    ThickBox Content
    WP Subdomains
    WP System Health

    "If there's a web server you feel we should be actively testing (e.g. lighttpd), we're interested in hearing"

    Nginx testing would be appreciated..

    Thanks,

    Chris

Topic Closed

This topic has been closed to new replies.

About this Topic