Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-001: Require ADMIN for ?flush=1&isDev=1

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks. This action has been secured as part of SS-2013-001, but an edge case was missed when also using the isDev=1 GET parameter. It allows a live site to be placed in development mode for logged-in administrators. When used in combination with flush=1, the check for logged-in administrators was bypassed, which is now fixed.

Download patch for 3.1 | Download patch for 3.0

Thanks to Stephen Shkardoon and Simon Welsh for reporting.

Severity:
Low (?)
Identifier:
SS-2014-001
Versions Affected:
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
3.0.9,3.1.3
Release Date:
2014-02-19

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks. This action has been secured as part of SS-2013-001, but an edge case was missed when also using the isDev=1 GET parameter. It allows a live site to be placed in development mode for logged-in administrators. When used in combination with flush=1, the check for logged-in administrators was bypassed, which is now fixed.

Download patch for 3.1 | Download patch for 3.0

Thanks to Stephen Shkardoon and Simon Welsh for reporting.