SS-2015-014: Vulnerability on "isDev", "isTest" and "flush" $

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: SS-2015-014
Versions Affected:: 3.0.13 and below, 3.1.0 to 3.1.13-rc1
Versions Fixed:: 3.0.14, 3.1.13
Release Date:: 2015-05-28

When a secure token parameter is provided to a SilverStripe site (such as isDev or flush) an empty token parameter can be provided in order to bypass normal authentication parameters.

For instance, http://www.mysite.com/?isDev=1&isDevtoken will force a site to dev mode. Alternatively, "flush" could also be used in succession to cause excessive load on a victim site and risk denial of service.

The fix in this case is to ensure that empty tokens fail the validation check.

Download Fix for 3.0 or Download Fix for 3.1

Common Vulnerability Scoring System (CVSS) Information

Credit to Patrick Nelson (https://catchyour.com/) for reporting this issue.

SS-2015-014: Vulnerability on "isDev", "isTest" and "flush" $_GET validation