Closed Bug 570231 Opened 14 years ago Closed 13 years ago

Username Enumeration Possible from Forgot Password Page

Categories

(Websites Graveyard :: drumbeat.org, defect)

Product:
Websites Graveyard
Component:
drumbeat.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mcoates, Unassigned)

Details

(Whiteboard: [infrasec:auth][drumbeat-security]) 

Issue

It is possible to enumerate valid usernames from the forgot password page (https://www.drumbeat.org/user/password). This is possible because entering a valid username will result in the message:
  "Further instructions have been sent to your e-mail address."
whereas entering an invalid username returns the message:
  "Sorry, mcoates99912 is not recognized as a user name or an e-mail address."

An attacker could use this weakness to manually identify valid account identifiers that may relate to particular users or admin accounts.  Note: Since a captcha is enforced, an attacker would not be able to script an attack to enumerate high volumes of users.


Recommended Remediation

Return the same message to the user regardless if the submitted account is valid.  This will eliminate the ability for an attacker to infer if an account is valid based on the returned message.
Drupal based version drumbeat.org has been retired. Bug no longer valid.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.