• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed 30 second limit easily broken

#1
I have found that it is easily possible to break the 30 limit. (I have tested this on two forums and will demonstrate below)

There is a small gap right after 30 second timer ends that a user can send as many post requests and possible and have them all posted. You don't need to send post requests. It is easily accomplished on a user's profile page because there is no time where after you post the button becomes deactivated.

Test for this bug : https://xenforo.com/community/members/awkward_potato.96135/

This is not limited to any amount of posts or just to profile posts. This can be used for major spam.
 

Mike

XenForo developer
Staff member
#2
This is fixed now for the next release. The issue was effectively an off-by-one issue where the DB would only update if the last action was older than <flood limit> + 1 second but other code would accept it at <flood limit> time, which meant that there was a position where a request would go through but the DB wouldn't be updated to reflect the new time.

So this has been fixed in two was: the off-by-one issue has been sorted but there's also a sanity check. If the code thinks you're flooding and no DB change has been made, it will force you to wait at least 1 second.

Very good catch here. Thanks! :)