SS-2014-001: Require ADMIN for ?flush=1&isDev=1

Severity:
Low (?)
Identifier:
 
SS-2014-001
Versions Affected:
 
3.0.8, 3.1.2 and all earlier versions
Versions Fixed:
 
3.0.9,3.1.3
Release Date:
 
2014-02-19

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks. This action has been secured as part of SS-2013-001, but an edge case was missed when also using the isDev=1 GET parameter. It allows a live site to be placed in development mode for logged-in administrators. When used in combination with flush=1, the check for logged-in administrators was bypassed, which is now fixed.

Download patch for 3.1 | Download patch for 3.0

Thanks to Stephen Shkardoon and Simon Welsh for reporting.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.