Try the beta version of the new SilverStripe documentation

For the next 2 weeks you can use the new documentation website and give us your feedback.

close

This document contains information for an outdated version (2.4) and may not be maintained any more.

If some of your projects still use this version, consider upgrading as soon as possible.

2.4.11 (2013-08-08)

Overview

  • Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)
  • Security: SQL injection in Versioned.php

Details

Security: Require ADMIN for ?flush=1 and ?flush=all

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

  • The environment is in "dev mode"
  • A user is logged in with ADMIN permissions
  • An error occurs during startup

This applies to both flush=1 and flush=allbut only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.

Thanks to Christopher Tombleson for reporting.

Security: SQL injection in Versioned.php

The archiveDate parameter wasn't correctly escaping user input through URL parameters (download patch)

Thanks to Dean Jerkovich of NCC Group for reporting.

Changelog

Bugfixes

  • 2013-08-05 [15406dd] Constants magic_quotes needs function from Core (Hamish Friedlander)
  • 2013-08-05 [60a95cb] Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander)
  • 2013-08-01 [2f9689b] Flush on memory exhaustion and headers sent (Hamish Friedlander)
  • 2013-07-30 [a150989] Fixed escaping of date in view of archived site. (Sam Minnee)
  • 2013-07-24 [5212ab0] Nice errors and allows flush on module removal (Hamish Friedlander)
  • 2013-07-22 [09db9a6] Only suppress fatal errors (Hamish Friedlander)
  • 2013-07-19 [e782648] Fixed TempPath inclusion for phpunit & cli-script (Sam Minnee)
  • 2013-07-19 [296b131] Actually use argument in getTempFolder (Hamish Friedlander)
  • 2013-07-19 [ec8c4b8] Ignore invalid tokens instead of throwing 403 (Hamish Friedlander)
  • 2013-07-19 [d42d8d0] Have ParameterConfirmationToken includes work regardless of include path (Hamish Friedlander)
  • 2013-07-19 [8990788] Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander)
  • 2013-03-20 [143317c] SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon)
  • 2013-02-26 [a8a10f8] Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)

Comments

Comment policy: Please use comments for tips and corrections about the described functionality.
Comments are moderated, we reserve the right to remove comments that are inappropriate or are no longer relevant. Use the Silverstripe Forum to ask questions.

blog comments powered by Disqus