SS-2013-001: Require ADMIN for ?flush=1

Severity:
Important (?)
Identifier:
 
SS-2013-001
Versions Affected:
 
2.4, 3.0, 3.1
Versions Fixed:
 
2.4.11,3.0.6,3.1.0-rc1
Release Date:
 
2013-08-08

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.