SS-2013-001: Require ADMIN for ?flush=1
- High (?)
- Versions Affected:
- 2.4, 3.0, 3.1
- Versions Fixed:
- Release Date:
Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
- The environment is in "dev mode"
- A user is logged in with ADMIN permissions
- An error occurs during startup
This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.
Thanks to Christopher Tombleson for reporting.