Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Release notes
This is a security release, upgrading to the latest version is recommended. SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure
In Drupal the administrative user with uid=1 is not subject to any restrictions, much like the root account on *NIX systems. That's why in the 6.x branch of authcache caching for this user was disabled in code. During the 7.x-1.x port this check was removed in order to simplify development and configuration when logged in as admin-user. However this may render a site vulnerable to information disclosure when all of the following conditions are met:
- Authcache is enabled for all roles.
- Besides the super user (uid=1) there is at least one additional account with all roles enabled.
- There is an active authcache page rule-set applying to all roles.
- There is a page allowed by this page rule-set where content is present which is exclusively intended for the super user.
Admittedly this scenario is not too likely. Nevertheless I think the issue is worth fixing. Therefore this release extends the key-generation method in order to make sure that a unique key is generated for the super user (uid=1).