This module has a DDoS vulnerability. Technically, service is not denied, but it is a distributed attack that could result in the host website being blacklisted.

Flood control only works for individual IP addresses, not for distributed attacks.

You can see this vulnerability by:
1. Enabling the module
2. As a user with admin permission enable flood control.
3. As a spammer, go to [domain]/forward?path=[path] from many different IP addresses all at once, keeping within the flood control limit for each individual IP address.

Actual behavior: Submissions get through
Expected behavior: Forward detects excessive quantity of requests and denies all requests.

While this fix in and of itself could allow DDoS to deny forwarding, using Forwarding to spam would also risk DDoS through blacklisting.

Security team has approved posting this as a public issue.

Comments

Charles Belov created an issue. See original summary.

nkanderson’s picture

I'm seeing this issue on my site, wondering if there's any work in progress on patching? BTW, when I view admin/reports/forward, it looks like the activity is constrained to the set flood control limits. When I view the actual access logs on the server, I see spammer activity from multiple IPs as described above.

Also, for anyone stumbling on this issue, the red flag I first noticed on my site was that the cache_form table was growing quickly and excessively.

markabur’s picture

In the meantime, Honeypot module might be helpful.

john.oltman’s picture

Version: 7.x-2.1 » 4.0.x-dev