Toffy. Posted February 10, 2023 Posted February 10, 2023 Hello, recently I discovered a small vulnerability in search module. Users can "bypass" search limits by just removing ips4_lastSearch cookie. People may use it in DoS/DDoS attacks as it's using a lot of resources.Video showcase:https://streamable.com/xdo5ow
Marc Posted February 10, 2023 Posted February 10, 2023 This isnt really a vulnerability as such. This is done via cookie as it applies to guests as well as members, and there has to be some way in which to keep track of when someone has searched. So its done via a cookie. No matter what we used to track that, it could have course be removed. DDOS style attacks are really something that should be dealt with at a server level, rather than at a software level. Refreshing a page over and over, creating members over and over etc, would all have a similar impact to this. The setting is intended as an additional layer in a stack of DDOS mitigations, but is not intended as a catch all.
Recommended Posts