Skip to content

Security Fix for Lack of Rate Limiting - huntr.dev #1111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Security Fix for Lack of Rate Limiting - huntr.dev #1111

wants to merge 7 commits into from

Conversation

@huntr-helper
Copy link

@huntr-helper huntr-helper commented Oct 9, 2020

https://huntr.dev/users/alromh87 has fixed the Lack of Rate Limiting vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/userfrosting/userfrosting/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-packagist-userfrosting%2Fuserfrosting

⚙️ Description *

When configured rate limiting will return 429 (Too Many Requests) response code, increasing wait time as configured, It handles multiple clients as well.

Captura de pantalla de 2020-09-24 20-21-27

Captura de pantalla de 2020-09-24 20-31-22

https://github.com/userfrosting/UserFrosting/blob/master/app/sprinkles/account/src/Controller/AccountController.php#L390

@lcharette lcharette added this to the 5.0.1 milestone Nov 25, 2023
@lcharette lcharette modified the milestones: 5.0.1, 5.1.0 Dec 12, 2023
@lcharette
Copy link
Member

lcharette commented Dec 12, 2023

After review, this is not an issue. Login throttling is disabled in non-production mode, as intended by design. Proper throttling is indeed available in production mode.

@lcharette lcharette closed this Dec 12, 2023
@lcharette lcharette added the wontfix This will not be worked on label Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexweissman alexweissman Awaiting requested review from alexweissman

Assignees

No one assigned

Labels

wontfix This will not be worked on

Projects

UserFrosting Task Planner
Status: Done

Milestone

5.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@huntr-helper @lcharette @alromh87 @JamieSlome