Toffy. Posted February 10, 2023 Share Posted February 10, 2023 Hello, recently I discovered a small vulnerability in search module. Users can "bypass" search limits by just removing ips4_lastSearch cookie. People may use it in DoS/DDoS attacks as it's using a lot of resources.Video showcase:https://streamable.com/xdo5ow Link to comment Share on other sites More sharing options...
Marc Stridgen Posted February 10, 2023 Share Posted February 10, 2023 This isnt really a vulnerability as such. This is done via cookie as it applies to guests as well as members, and there has to be some way in which to keep track of when someone has searched. So its done via a cookie. No matter what we used to track that, it could have course be removed. DDOS style attacks are really something that should be dealt with at a server level, rather than at a software level. Refreshing a page over and over, creating members over and over etc, would all have a similar impact to this. The setting is intended as an additional layer in a stack of DDOS mitigations, but is not intended as a catch all. Link to comment Share on other sites More sharing options...
Recommended Posts