SS-2013-001: Require ADMIN for ?flush=1

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: SS-2013-001
Versions Affected:: 2.4, 3.0, 3.1
Versions Fixed:: 2.4.11,3.0.6,3.1.0-rc1
Release Date:: 2013-08-08

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

The environment is in "dev mode"
A user is logged in with ADMIN permissions
An error occurs during startup

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.