Fixed 30 second limit easily broken

awkward_potato

awkward_potato

New member
I have found that it is easily possible to break the 30 limit. (I have tested this on two forums and will demonstrate below)

There is a small gap right after 30 second timer ends that a user can send as many post requests and possible and have them all posted. You don't need to send post requests. It is easily accomplished on a user's profile page because there is no time where after you post the button becomes deactivated.

Test for this bug : https://xenforo.com/community/members/awkward_potato.96135/

This is not limited to any amount of posts or just to profile posts. This can be used for major spam.
 
This is fixed now for the next release. The issue was effectively an off-by-one issue where the DB would only update if the last action was older than <flood limit> + 1 second but other code would accept it at <flood limit> time, which meant that there was a position where a request would go through but the DB wouldn't be updated to reflect the new time.

So this has been fixed in two was: the off-by-one issue has been sorted but there's also a sanity check. If the code thinks you're flooding and no DB change has been made, it will force you to wait at least 1 second.

Very good catch here. Thanks! :)
 

Similar threads

PumpinIron
  • Question Question
XF 2.2 Search from a members profile seems to be broken
Replies
1
Views
99
PumpinIron
PumpinIron
S
  • Question Question
Addons/Features/Functionality of XF
Replies
1
Views
437
briansol
B
Paul B
  • Sticky
XF2.3 feedback and comments
28 29 30
Replies
585
Views
34K
btmgreg
btmgreg
Sanmu
There is any Bounty System for Xenforo?
Replies
0
Views
791
Sanmu
Sanmu
tristan9
Xenforo and edge caches
Replies
5
Views
1K
motowebmaster
motowebmaster
Top Bottom