Case-insensitive page cache enables DoS via cache poisoning

Created on 7 May 2023, almost 2 years ago

Originally reported to the Drupal security team by @torotil → on 15 October 2020. Assuming it affects the latest version, this issue's version is set to D10.0.

---

Problem

While page cache is case-insensitve → language prefixes are case sensitive. This means /EN/node/1 might return a 404 even though /en/node/1 does not. Both will end up in the same bucket in the page cache, thus the result depends on which one ends up there first.

Steps to reproduce

Set up a drupal installation with the minimal profile.
Enable the locale module and the blog module.
Add an additional language (eg. de), enable language negotiation via path prefixes.
Enable the blog content-type to be multi-lingual.
Enable the page cache. (Seems to be enabled by default)
Create a node with the non-default language (eg. /de/node/1)
curl -i http://site/DE/node/1 → 404, cache is populated
curl -i http://site/de/node/1 → 404 from the cache.

Possible exploit

With this knowledge an attacker might send properly timed requests (trying to populate the page cache whenever it is cleared) and thereby effectively “unpublishing“ all non-default-language content of a site.

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Active

Version

7.0 ⚰️

Component

Cache →

Last updated about 8 hours ago

Maintained by
🇬🇧United Kingdom @catch
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇳🇱Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @dokumori
Comment almost 2 years ago →
🇺🇸United States greggles Denver, Colorado, USA
Tagging as well for easier finding.
Comment almost 2 years ago →
🇸🇰Slovakia poker10
As mentioned in the discussion on s.d.o, this seems to be only D7 issue. D8+ should not be affected, as the page cache is case-sensitive (according to @alexpott).

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024