Limit notifications of not authenticated sessions #8307
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
If an attacker invokes an error like #8268 (he doesn't need to be authenticated for that) , a notification will be saved in the data field of his session.
As those notifications are stored until they are displayed (but aren't), the data field grows over time.
This can be used to fill hdd space or database space (if database session handling is active).
If database replication (mysql) is activated binlog grows very quick too, and uses a lot of hdd space (all of it).
A solution could be a limitation of notifications based on loginstatus.
The text was updated successfully, but these errors were encountered: