SS-2014-001: Require ADMIN for ?flush=1&isDev=1
- Severity:
- Low (?)
- Identifier:
- SS-2014-001
- Versions Affected:
- 3.0.8, 3.1.2 and all earlier versions
- Versions Fixed:
- 3.0.9,3.1.3
- Release Date:
- 2014-02-19
Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks. This action has been secured as part of SS-2013-001, but an edge case was missed when also using the isDev=1 GET parameter. It allows a live site to be placed in development mode for logged-in administrators. When used in combination with flush=1, the check for logged-in administrators was bypassed, which is now fixed.
Download patch for 3.1 | Download patch for 3.0
Thanks to Stephen Shkardoon and Simon Welsh for reporting.
