[Plugin: WP Super Cache] Security Issues https://ocaoimh.ie/ access problems

  • Hi

    I wanted to inform you, Donncha of a security issue.

    I found this in my cache folder today: /cache/supercache/

    domain.com (normal)
    domain.com. (normal)
    https://www.google.com (whoops!)
    https://www.hackersite.com (oh oh!)

    As you can see some hackers can create folders in the supercache folder. Somehow. I don’t know how they do it, but it needs to be looked into. I believe this can be a security issue. I looked into the folder and downloaded the files, it was my site .. but if they somehow manage to establish a remote connection then it will cache the site and make it accessible. So, what I’d suggest is to add some checks that only subfolders for the domain can be created!

    Also, I wanted to inform you that I accessed your site recently and it was downloaded as a rar file. Maybe something you should look into.

    Anyway, keep up the great work.

    Thanks,
    Oliver

Viewing 2 replies - 1 through 2 (of 2 total)
  • Inposure

    (@liangzai)

    It is a DNS spoof and has nothing to do with Super Cache.

    Add the following to your .htaccess file to get rid of it:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^domain.com$
    RewriteRule .* – [F]
    </IfModule>

    Now Super Cache (Widget Cache and so on) will not be bothered, all that fake visitors will see is a 403 Forbidden page.

    If you use multisite, make sure you have NOBLOGREDIRECT set (google it).

    If you use www, make the following modification:

    RewriteCond %{HTTP_HOST} !^(www\.)?domain.com$

    Plugin Author Donncha O Caoimh (a11n)

    (@donncha)

    Thanks Oliver. liangzai is right. There’s nothing to worry about. WordPress serves content for whatever site your server answers a request for. WP Super Cache simply caches it.

    The download the page problem is a very obscure problem. It’s actually documented in the readme.txt and happens once in a blue moon. I can’t reproduce it reliably. ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: WP Super Cache] Security Issues https://ocaoimh.ie/ access problems’ is closed to new replies.