silverstripe-framework/docs/en/changelogs/2.4.11.md

2.4.11 (Not yet released)

Overview

• Security: Require ADMIN for ?flush=1 (stop denial of service attacks) (#1692)

Details

Security: Require ADMIN for ?flush=1 and ?flush=all

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

• The environment is in "dev mode"
• A user is logged in with ADMIN permissions
• An error occurs during startup

This applies to both flush=1 and flush=allbut only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.