FreePBX UCP page can send unlimited Reset password email that can leads to DOS

RenatoSSS22 · January 8, 2024, 7:35am

Hi FreePBX team,

We have noticed that the UCP page can send unlimited reset password that can possibly leads to DOS.

Is it possible to limit this into twice and there is countdown time before the user can send again or if none, is there a way to totally disable the “Forgot Password” button?

Thank you for your help

comtech · January 8, 2024, 4:56pm

I am not aware of any built-in way to toggle this. There is Sangoma responsive firewall which can block IPs after it sees a series of failures, but an ever-changing IP will negate that.

You could approach this in two ways:

Assume this is a bug and submit a bug report and see what Sangoma says.
Assume this is feature request and submit a feature request.

RenatoSSS22 · January 10, 2024, 5:38am

Hi comtech,

Thank you.

May I ask where to submit a bug report?

jfinstrom · January 10, 2024, 6:07am

They have not introduced a replacement bug tracker so just tagging on here @kgupta @lgaetz

RenatoSSS22 · January 15, 2024, 2:36am

@kgupta @lgaetz any updates or thoughts about this?

lgaetz · January 15, 2024, 2:54pm

No thoughts other than to confirm that it’s currently a pending feature request.

system · February 14, 2024, 2:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.