Fixed issue #15239: Brute-force attack with tokens to enter survey is…

… possible (#1794) Intentionally don't reset FailedLoginAttempt after token usccesfull validation
LimeSurvey · Mar 5, 2021 · 9cab67f · 9cab67f
1 parent 4367fec
commit 9cab67f
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/application/helpers/frontend_helper.php b/application/helpers/frontend_helper.php
@@ -1269,7 +1269,8 @@ function testIfTokenIsValid(array $subscenarios, array $thissurvey, array $aEnte
             $aEnterTokenData['visibleToken'] = $clienttoken;
             $aEnterTokenData['token'] = $clienttoken;
             $renderToken = 'correct';
-            FailedLoginAttempt::model()->deleteAttempts();
+            // Intentionally don't reset FailedLoginAttempt for this IP.            
+            // FailedLoginAttempt::model()->deleteAttempts();
         }
     }