Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Using Authcache along with boost in drupal 6.25, I received reports from users claiming that others users could have sneak into their account and sent messages (using messaging module) on their part.
It may worth mentioning that I had not added 'messages/*' to the boost's blacklist.
If it is true it means a major volnurability. So I have disabled the module and wait to hear your expert opinion about this.
Comments
Comment #1
marko3 CreditAttribution: marko3 commentedSorry, forgot to mention that at the time of the occurance the 'Authcache module' was also enabled for all rules.
Comment #2
Jonah Ellison CreditAttribution: Jonah Ellison commentedWere you caching the messages/* path with Authcache? If a path contains personalized or user-sensitive data, then it shouldn't be cached. It's possible people were just changing the id in the URL to access cached pages.
Comment #3
marko3 CreditAttribution: marko3 commentedI did not do anything specific about messages/* in relation to Authcache. Something that I NOT did, was to not excluse messages/* in Boost, along with user/* etc.
Comment #4
simg CreditAttribution: simg commented