Using Authcache along with boost in drupal 6.25, I received reports from users claiming that others users could have sneak into their account and sent messages (using messaging module) on their part.
It may worth mentioning that I had not added 'messages/*' to the boost's blacklist.
If it is true it means a major volnurability. So I have disabled the module and wait to hear your expert opinion about this.

Comments

marko3’s picture

Sorry, forgot to mention that at the time of the occurance the 'Authcache module' was also enabled for all rules.

Jonah Ellison’s picture

Were you caching the messages/* path with Authcache? If a path contains personalized or user-sensitive data, then it shouldn't be cached. It's possible people were just changing the id in the URL to access cached pages.

marko3’s picture

I did not do anything specific about messages/* in relation to Authcache. Something that I NOT did, was to not excluse messages/* in Boost, along with user/* etc.

simg’s picture

Status: Active » Closed (fixed)