SS-2015-014: Vulnerability on "isDev", "isTest" and "flush" $_GET validation
- High (?)
- Versions Affected:
- 3.0.13 and below, 3.1.0 to 3.1.13-rc1
- Versions Fixed:
- 3.0.14, 3.1.13
- Release Date:
When a secure token parameter is provided to a SilverStripe site (such as isDev or flush) an empty token parameter can be provided in order to bypass normal authentication parameters.
For instance, http://www.mysite.com/?isDev=1&isDevtoken will force a site to dev mode. Alternatively, "flush" could also be used in succession to cause excessive load on a victim site and risk denial of service.
The fix in this case is to ensure that empty tokens fail the validation check.
Download Fix for 3.0 or Download Fix for 3.1
Common Vulnerability Scoring System (CVSS) Information
Credit to Patrick Nelson (https://catchyour.com/) for reporting this issue.