search

laravel / fortify

Backend controllers and scaffolding for Laravel authentication.
https://laravel.com/docs/fortify
MIT License
1.61k stars 294 forks source link

Release notes (and UPGRADE.md) should mention necessary config update to fix 2fa vulnerability #191

Closed LeoniePhiline closed 3 years ago

LeoniePhiline commented 3 years ago

Description:

Commit 8609af2292652234a70e4457d63ff1e10a510631 fixes 2fa in new installations.

However there is no default for the newly introduced config('fortify.limiters.two-factor'). Therefore existing installations remain vulnerable (no 2fa rate-limiting will be applied) until the published config is updated to match the updated stub.

The severity might be medium to low, but this might still necessitate a security advisory, at least a mention in the release notes, and maybe a hint on laravel news?

driesvints commented 3 years ago

I'll talk to Taylor to maybe do a blog post about this. Thanks!