SS-2015-014: Vulnerability on "isDev", "isTest" and "flush" $_GET validation
- High (?)
- Versions Affected:
- 3.0.13 and below, 3.1.0 to 3.1.13-rc1
- Versions Fixed:
- 3.0.14, 3.1.13
- Release Date:
When a secure token parameter is provided to a SilverStripe site (such as isDev or flush) an empty token parameter can be provided in order to bypass normal authentication parameters.
For instance, http://www.mysite.com/?isDev=1&isDevtoken will force a site to dev mode. Alternatively, "flush" could also be used in succession to cause excessive load on a victim site and risk denial of service.
The fix in this case is to ensure that empty tokens fail the validation check.
Credit to Patrick Nelson (https://catchyour.com/) for reporting this issue.