Support » Plugins » [Plugin: W3 Total Cache] Security Alert

  • I really want to like this plugin, but it’s certainly not ready to be installed on a NGinx system.

    I went to log into the admin console of one of my blogs today and I got a very rude shock. An error message that revealed my servers MySQL Admin username and password !

    Here is what was displayed:

    #0 W3_Config->instance() called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:82]
    #1 W3_Db->__construct(MySQL_Database_AdminAccount, AdminAccount_Password, Database_Name, localhost) called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:360]
    #2 W3_Db::instance() called at [/home/public_html/secretblogurl.com/public/wp-content/db.php:13]
    #3 require_once(/home/public_html/secretblogurl.com/public/wp-content/db.php) called at [/home/public_html/secretblogurl.com/public/wp-includes/functions.php:2770]
    #4 require_wp_db() called at [/home/public_html/secretblogurl.com/public/wp-settings.php:250]
    #5 require_once(/home/public_html/secretblogurl.com/public/wp-settings.php) called at [/home/public_html/secretblogurl.com/public/wp-config.php:76]
    #6 require_once(/home/public_html/secretblogurl.com/public/wp-config.php) called at [/home/public_html/secretblogurl.com/public/wp-load.php:30]
    #7 require_once(/home/public_html/secretblogurl.com/public/wp-load.php) called at [/home/public_html/secretblogurl.com/public/wp-admin/admin.php:20]
    #8 require_once(/home/public_html/secretblogurl.com/public/wp-admin/admin.php) called at [/home/public_html/secretblogurl.com/public/wp-admin/index.php:10] W3 Total Cache Error: Unable to read config file or it is broken. Please create /home/public_html/secretblogurl.com/public/wp-content/w3-total-cache-config.php from /home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/w3-total-cache-config-default.php.

    http://wordpress.org/extend/plugins/w3-total-cache/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Chris, which PHP modules do you have installed? The only error the plugin itself provides is:

    W3 Total Cache Error: Unable to read config file or it is broken. Please create /home/public_html/secretblogurl.com/public/wp-content/w3-total-cache-config.php from /home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/w3-total-cache-config-default.php.

    Are you running a plugin like xdebug or anything else that provides a stack trace?

    You may be thinking that the following indicates a security flaw in the plugin itself:

    #1 W3_Db->__construct(MySQL_Database_AdminAccount, AdminAccount_Password, Database_Name, localhost) called at [/home/public_html/secretblogurl.com/public/wp-content/plugins/w3-total-cache/lib/W3/Db.php:360]

    However please note that wpdb::__construct (which is used) also has the same arguments, which as you probably know is part of the WordPress core.

    Hi,

    All I know is that when I deleted your plugin via SSH, I was then able to login.

    Other plugins installed were:

    DISQUS Comment System
    Facebook Connect
    Google XML Sitemaps
    Lijit Search
    nginx Compatibility (PHP5)
    Paypal API Subscriptions
    Series
    SocioFluid
    Thesis OpenHook
    ThickBox Content
    WP Subdomains
    WP System Health

    “If there’s a web server you feel we should be actively testing (e.g. lighttpd), we’re interested in hearing”

    Nginx testing would be appreciated..

    Thanks,

    Chris

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: W3 Total Cache] Security Alert’ is closed to new replies.