Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Download authcache-7.x-1.5.tar.gztar.gz
41.01 KB
MD5: 094bb36aac1f9d29be77e4fd26741836
SHA-1: b90ad7dcfc1b0a6e07ac802e48f399b785847b44
SHA-256: a0546e1b1b11c7cf71939fc7a7cd0e535d61cd5731a011912eb2f59619e945fb
Download authcache-7.x-1.5.zipzip
48.69 KB
MD5: bc9c05cef7ca9dae50f0205b81f07b4d
SHA-1: 01e163001fe0086209342f1e80fe31a9f7397776
SHA-256: 622be550e0e5d09505a9a07c8a097fd568d28ca3d71fac00fbad2c774d04aad8
Release notes
This is a security release, upgrading to the latest version is recommended. SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure
In Drupal the administrative user with uid=1 is not subject to any restrictions, much like the root account on *NIX systems. That's why in the 6.x branch of authcache caching for this user was disabled in code. During the 7.x-1.x port this check was removed in order to simplify development and configuration when logged in as admin-user. However this may render a site vulnerable to information disclosure when all of the following conditions are met:
- Authcache is enabled for all roles.
- Besides the super user (uid=1) there is at least one additional account with all roles enabled.
- There is an active authcache page rule-set applying to all roles.
- There is a page allowed by this page rule-set where content is present which is exclusively intended for the super user.
Admittedly this scenario is not too likely. Nevertheless I think the issue is worth fixing. Therefore this release extends the key-generation method in order to make sure that a unique key is generated for the super user (uid=1).
