This document contains information for an outdated version and may not be maintained any more. If some of your projects still use this version, consider upgrading as soon as possible.
- Security: Require ADMIN for
?flush=1(stop denial of service attacks) (#1692)
- Security: SQL injection in Versioned.php
Security: Require ADMIN for ?flush=1 and ?flush=all
Flushing the various manifests (class, template, config) is performed through a GET
flush=1). Since this action requires more server resources than normal requests,
it can facilitate denial-of-service attacks.
To prevent this, main.php now checks and only allows the flush parameter in the following cases:
- The environment is in "dev mode"
- A user is logged in with ADMIN permissions
- An error occurs during startup
This applies to both
flush=allbut only through web requests made through main.php - CLI requests,
or any other request that goes through a custom start up script will still process all flush requests as normal.
Thanks to Christopher Tombleson for reporting.
Security: SQL injection in Versioned.php
archiveDate parameter wasn't correctly escaping user input through URL parameters (download patch)
Thanks to Dean Jerkovich of NCC Group for reporting.
- 2013-08-05 [15406dd] Constants magic_quotes needs function from Core (Hamish Friedlander)
- 2013-08-05 [60a95cb] Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
- 2013-08-01 [2f9689b] Flush on memory exhaustion and headers sent (Hamish Friedlander)
- 2013-07-30 [a150989] Fixed escaping of date in view of archived site. (Sam Minnee)
- 2013-07-24 [5212ab0] Nice errors and allows flush on module removal (Hamish Friedlander)
- 2013-07-22 [09db9a6] Only suppress fatal errors (Hamish Friedlander)
- 2013-07-19 [e782648] Fixed TempPath inclusion for phpunit & cli-script (Sam Minnee)
- 2013-07-19 [296b131] Actually use argument in getTempFolder (Hamish Friedlander)
- 2013-07-19 [ec8c4b8] Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
- 2013-07-19 [d42d8d0] Have ParameterConfirmationToken includes work regardless of include path (Hamish Friedlander)
- 2013-07-19  Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
- 2013-03-20 [143317c] SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
- 2013-02-26 [a8a10f8] Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)