Big security threat

  • Resolved arleuein

    (@arleuein)


    13 years, 9 months ago

    One of my (nice) readers have informed me that he was automatically logged as me (super admin) when he displayed a random page on my site. He could have made everything he wanted (create and delete posts, etc.)

    The “Page cache” option “Don’t cache pages for logged in users” was turned off. When I reactivate it, the issue was fixed and my login isn’t yet used by every visitor.

    But it isn’t very good for the security, isn’t it ?

    In French :

    Un de mes lecteurs m’a gentiment informé qu’en visitant mon site sur une page quelconque, il était automatiquement connecté avec mon compte (super admin) et avait accès à toutes les taches d’administration.

    L’option “Désactiver la mise en cache pour les utilisateurs identifiés” était désactivée. Après sa réactivation, le problème a été résolu.

    Mais c’est plut?t inquiétant pour la sécurité de son blog, ce genre de découverte…

Viewing 7 replies - 1 through 7 (of 7 total)

  • The author doesn’t read this forum. Please use “contact support” form inside plugin configuration menu to tell him about this issue.

    Thread Starter arleuein

    (@arleuein)

    Okay. Plugins developpers don’t need to read this forum, and that is why W3 Total Cache is marked as “broken”. I don’t understand their mind.

    I think Frederick does read here. Doesn’t reply much mind you.

    But when you do go to the official site and click on support it brings you here. So one would presume this is where “free” support is found, as opposed to paid.

    Plugin Contributor Frederick Townes

    (@fredericktownes)

    Free support is found here and in the plugin by submitting a bug submission form. This summer I have not had time for the forums. When you disable don’t cache pages for logged users (which is checked by default), you will expose the authenticated data for URLs that public users also visit. There are cases where it doesn’t matter that this occurs, that’s why it’s an option, however, it’s enabled by default because it’s best that someone decide to modify that behavior consciously and be aware of the implications.

    Thread Starter arleuein

    (@arleuein)

    Ok, thanks for this explaination. Adding a warning message in the option label could be a good idea.

    Plugin Contributor Frederick Townes

    (@fredericktownes)

    If you have better wording than the existing caption please advise.

    Thread Starter arleuein

    (@arleuein)

    Users that have signed in to WordPress (e.g. administrators) will never view cached pages if enabled. Warning : disable this may cause some security issues (e.g. let visitors to be connected with your account). Disable it only if you know what you are doing !

    If you are looking for a french translation, I can try to do it ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Big security threat’ is closed to new replies.