vmomenv A friend of mine took advantage of this vulnerability and sent 36 emails for me within 2 minutes.If this is a hacker sending a lot of emails to users, it will be very dangerous.
streaps luceos your friend knows your email address.... This doesn't change the fact that it's possible to create a lot of mails through simple HTTP requests. You will always find some email addresses from some users. What happens if your forum sends a thousand mails to several gmail adresses? How soon will all mails from the forum address put in the Spam folder automatically? What would affected users think about security, privacy and/or reputation of the forum?
vmomenv luceos yes...But I still hope that the time interval can be increased.Because some users like to leave their email on their personal page.
luceos Throttling is an extensible part of Flarum now. Posts and discussions are automatically throttled, but the same could be done for password resets etc. Not sure where we are with that though.
Hari This is a good idea for the new extension, so you are asking something like how banks do. send first & second email requests immediately, for thrid one or more password requests block throughout the day or delay 15min
ExpLangcn Hi, I also need to solve this problem now. I am using version 1.2.0. Unfortunately, the official did not fix this vulnerability. How did you fix it?
