PHPJabbers Event Ticketing System Rate Limiting Vulnerability in Forgot Password Feature

A denial-of-service vulnerability has been identified in PHPJabbers Event Ticketing System version 1.0, stemming from a lack of rate limiting in the 'Forgot Password' feature. This oversight allows attackers to send a high volume of email reset requests on behalf of a legitimate user, potentially overwhelming the user's inbox with excessive messages.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition for users, causing their email accounts to be flooded with reset requests.

Reproduction

To reproduce this vulnerability, access the 'Forgot Password' feature on the PHPJabbers Event Ticketing System demo site. Use an email address that is already registered on the site. Capture the request with a tool like Burp Suite, and send it to the Intruder tab. Configure the Intruder to send multiple requests and start the attack. The result will be a large number of password reset emails sent to the registered email address.