WordPress.org

Support

Support » Plugins and Hacks » W3 Total Cache » [Resolved] Big security threat

[Resolved] Big security threat

  • One of my (nice) readers have informed me that he was automatically logged as me (super admin) when he displayed a random page on my site. He could have made everything he wanted (create and delete posts, etc.)

    The “Page cache” option “Don’t cache pages for logged in users” was turned off. When I reactivate it, the issue was fixed and my login isn’t yet used by every visitor.

    But it isn’t very good for the security, isn’t it ?

    In French :

    Un de mes lecteurs m’a gentiment informé qu’en visitant mon site sur une page quelconque, il était automatiquement connecté avec mon compte (super admin) et avait accès à toutes les tâches d’administration.

    L’option “Désactiver la mise en cache pour les utilisateurs identifiés” était désactivée. Après sa réactivation, le problème a été résolu.

    Mais c’est plutôt inquiétant pour la sécurité de son blog, ce genre de découverte…

Viewing 7 replies - 1 through 7 (of 7 total)
  • The author doesn’t read this forum. Please use “contact support” form inside plugin configuration menu to tell him about this issue.

    Okay. Plugins developpers don’t need to read this forum, and that is why W3 Total Cache is marked as “broken”. I don’t understand their mind.

    I think Frederick does read here. Doesn’t reply much mind you.

    But when you do go to the official site and click on support it brings you here. So one would presume this is where “free” support is found, as opposed to paid.

    Plugin Author Frederick Townes

    @fredericktownes

    Free support is found here and in the plugin by submitting a bug submission form. This summer I have not had time for the forums. When you disable don’t cache pages for logged users (which is checked by default), you will expose the authenticated data for URLs that public users also visit. There are cases where it doesn’t matter that this occurs, that’s why it’s an option, however, it’s enabled by default because it’s best that someone decide to modify that behavior consciously and be aware of the implications.

    Ok, thanks for this explaination. Adding a warning message in the option label could be a good idea.

    Plugin Author Frederick Townes

    @fredericktownes

    If you have better wording than the existing caption please advise.

    Users that have signed in to WordPress (e.g. administrators) will never view cached pages if enabled. Warning : disable this may cause some security issues (e.g. let visitors to be connected with your account). Disable it only if you know what you are doing !

    If you are looking for a french translation, I can try to do it 😉

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘[Resolved] Big security threat’ is closed to new replies.
Skip to toolbar