Vulnerability: No rate limit on reset password link

[martaribeiro]

Please complete the following fields as applicable:

What version of the DMPRoadmap code are you running? (e.g. v2.2.0) Roadmap V3.1.1

Expected behaviour: Only send one reset password email within a certain period of time.

Actual behaviour: DESCRIPTION: A user will get many password reset link in the mailbox and unwanted traffic will be generated in the mailbox

STEPS TO REPRODUCE:

1. create an account and activate
2. logout and then go to forget password section enter your email id
3. open burp suite in proxy make intercept on and then in browser click on forget password
4. forget password traffic will be generated on burp suite search for your email address if it is there simply send it to intruder
5. in intruder in position select attack type sniper then click on clear once then add two '$' in front of user agent
6. in payload select brute force and in character set select ab so it will send 16 mail link if you choose abc it will send more then click on start attack then if traffic of 200 is generated then its a bug

IMPACT: User inbox will generated unwanted password in their mailbox

Steps to reproduce: Set a number of emails sent in a certain period of time when reseting password

[dsisu]

Solution: insert a minimum time in between password resets, e.g. 2 mins.

[dsisu]

@dsisu to investigate whether there is an industry practice on limits to number of password changes

[johnpinto1]

Going to use Rack-attack gem https://rubygems.org/gems/rack-attack/versions/6.6.1 as suggested by @briri.