Browse files

Linking to older security issue in change log

Mainly for consistency with the newer format
  • Loading branch information...
1 parent 05757ef commit 8b5c8eab72571a656166b4ba14e1096948fd1a9d @chillu chillu committed Aug 30, 2013
Showing with 1 addition and 13 deletions.
  1. +1 −13 docs/en/changelogs/
@@ -9,19 +9,7 @@
### Security: Require ADMIN for ?flush=1 (SS-2013-001)
-Flushing the various manifests (class, template, config) is performed through a GET
-parameter (`flush=1`). Since this action requires more server resources than normal requests,
-it can facilitate [denial-of-service attacks](
-To prevent this, main.php now checks and only allows the flush parameter in the following cases:
- * The [environment](/topics/environment-management) is in "dev mode"
- * A user is logged in with ADMIN permissions
- * An error occurs during startup
-This applies to both `flush=1` and `flush=all` (technically we only check for the existence of any parameter value)
-but only through web requests made through main.php - CLI requests, or any other request that goes through
-a custom start up script will still process all flush requests as normal.
+See [announcement](
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)

0 comments on commit 8b5c8ea

Please sign in to comment.