Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-001: Require ADMIN for ?flush=1

Severity:
High (?)
Identifier:
SS-2013-001
Versions Affected:
2.4, 3.0, 3.1
Versions Fixed:
2.4.11,3.0.6,3.1.0-rc1
Release Date:
2013-08-08

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.