craftcms
[5.x]: Password reset has no rate or count limit
What happened?
Description
The password reset function has no rate limit and therefore can be exploited, e.g. to cause work loads on the server or send spam to users.
Steps to reproduce
- Visit the control panel login page
- Click on "Forgot password"
- Enter a username or email-address
- Reload and immediately repeat step 1
Expected behavior
The system should prevent the user from immediately retriggering the reset password mail.
Actual behavior
The system sends without any rate or count limits reset password mails.
Craft CMS version
5.7.7
PHP version
8.3.21
Operating system and version
Linux 6.8.0-59-generic
Database type and version
MySQL 8.0.42
Image driver and version
Imagick 3.8.0 (ImageMagick 6.9.12-98)
Installed plugins and versions
No response
As Craft stores a timestamp whenever a verification token is generated on the user record we can actually pretty easily implement a cooldown timer that prevents the reset password mail from being sent repeatedly. I've created a fork that adds a cooldown setting and implements a simple check to prevent the missuse.