email rate limit for Umbraco password reset #14843
Replies: 2 comments 1 reply
-
|
Hi @shearer3000. Rate limiting is something we are looking into as a more general thing |
Beta Was this translation helpful? Give feedback.
-
|
thanks for that heads up @bergmania. any insight on what the more general approach might entail or is that still being decided? thanks |
Beta Was this translation helpful? Give feedback.
-
|
Basically rely on rate limiting middleware in ASP.NET Core, and make it configurable on all endpoints. But we haven't looked much into it yet, the tricky part will be to have some default values on some endpoints, but still have them easily changeable. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
A security penetration test of a client website has reported that there is no rate limit set on the Umbraco backoffice password reset (lost password recovery) i.e. the number of email messages a malicious user could generate. This could have potential implications such as negative user experience, system performance degradation, and even resulting in the email sending service being put on deny/block lists.
Has this been raised before (maybe in prior Umbraco penetration testing)?
A possible solution could be a new setting under https://docs.umbraco.com/umbraco-cms/reference/configuration/securitysettings to specify the number/threshold/attempts allowed within a certain timeframe?
Beta Was this translation helpful? Give feedback.
All reactions