[5.x]: Password reset has no rate or count limit

[sebastian-lenz]

What happened?

Description

The password reset function has no rate limit and therefore can be exploited, e.g. to cause work loads on the server or send spam to users.

Steps to reproduce

1. Visit the control panel login page
2. Click on "Forgot password"
3. Enter a username or email-address
4. Reload and immediately repeat step 1

Expected behavior

The system should prevent the user from immediately retriggering the reset password mail.

Actual behavior

The system sends without any rate or count limits reset password mails.

Craft CMS version

5.7.7

PHP version

8.3.21

Operating system and version

Linux 6.8.0-59-generic

Database type and version

MySQL 8.0.42

Image driver and version

Imagick 3.8.0 (ImageMagick 6.9.12-98)

Installed plugins and versions

No response

[sebastian-lenz]

As Craft stores a timestamp whenever a verification token is generated on the user record we can actually pretty easily implement a cooldown timer that prevents the reset password mail from being sent repeatedly. I've created a fork that adds a cooldown setting and implements a simple check to prevent the missuse.

[bastiaanwuisman]

We've got a client also running into this issue. Any chance this will be picked up in an upcoming update? If not, we'd probably have to implement something similar to the linked PR in our project. Thanks!