1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed Contact Us form allows guests to flood

Discussion in 'Resolved Bug Reports' started by Xon, May 12, 2016.

  1. Xon

    Xon Well-Known Member

    The Contact Us form uses the standard XenForo flood check.

    Except this flood check doesn't work for guest users, which allows guests to spam the contact us form without respecting any flood check, while users do need to obey the flood check.

    A quick look shows this is because XenForo uses the user_id as the primary key in the xf_flood_check table rather than something which would support a userid or an ip for guests.
  2. Mike

    Mike XenForo Developer Staff Member

    The flood check is indeed designed for registered users. For guests, in general, we use a captcha for rate limiting. As such, I would call this expected/as designed.

    The only place I can think of where we do IP-based rate limiting is with logins, and that can potentially just enable a captcha, if you desire. There is a possibility of a false positive with IP rate limiting--mostly due to NAT though also misconfigurations with reverse proxies--so it would be possible to break guest functionality unexpected with IP limiting.

Share This Page