# 2.4.11 (2013-08-08) ## Overview * Security: Require ADMIN for `?flush=1` (stop denial of service attacks) ([#1692](https://github.com/silverstripe/silverstripe-framework/issues/1692)) * Security: SQL injection in Versioned.php ## Details ### Security: Require ADMIN for ?flush=1 and ?flush=all Flushing the various manifests (class, template, config) is performed through a GET parameter (`flush=1`). Since this action requires more server resources than normal requests, it can facilitate [denial-of-service attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack). To prevent this, main.php now checks and only allows the flush parameter in the following cases: * The [environment](/topics/environment-management) is in "dev mode" * A user is logged in with ADMIN permissions * An error occurs during startup This applies to both `flush=1` and `flush=all`but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal. Thanks to Christopher Tombleson for reporting. ### Security: SQL injection in Versioned.php The `archiveDate` parameter wasn't correctly escaping user input through URL parameters ([download patch](https://github.com/silverstripe/silverstripe-framework/commit/a150989e6fb8b0ad41d9ad2af54948de33c721f0.patch)) Thanks to Dean Jerkovich of NCC Group for reporting. ## Changelog ### Bugfixes * 2013-08-05 [15406dd] Constants magic_quotes needs function from Core (Hamish Friedlander) * 2013-08-05 [60a95cb] Token redirect where in IIS a / needs adding between host & url (Hamish Friedlander) * 2013-08-01 [2f9689b] Flush on memory exhaustion and headers sent (Hamish Friedlander) * 2013-07-30 [a150989] Fixed escaping of date in view of archived site. (Sam Minnee) * 2013-07-24 [5212ab0] Nice errors and allows flush on module removal (Hamish Friedlander) * 2013-07-22 [09db9a6] Only suppress fatal errors (Hamish Friedlander) * 2013-07-19 [e782648] Fixed TempPath inclusion for phpunit & cli-script (Sam Minnee) * 2013-07-19 [296b131] Actually use argument in getTempFolder (Hamish Friedlander) * 2013-07-19 [ec8c4b8] Ignore invalid tokens instead of throwing 403 (Hamish Friedlander) * 2013-07-19 [d42d8d0] Have ParameterConfirmationToken includes work regardless of include path (Hamish Friedlander) * 2013-07-19 [8990788] Prevent DOS by checking for env and admin on ?flush=1 (#1692) (Hamish Friedlander) * 2013-03-20 [143317c] SQL Injection in CsvBulkLoader (fixes #6227) (Stephen Shkardoon) * 2013-02-26 [a8a10f8] Transaction stub methods for better cross 2.x and 3.x compat (Ingo Schommer)