Issue It is possible to enumerate valid usernames from the forgot password page (https://www.drumbeat.org/user/password). This is possible because entering a valid username will result in the message: "Further instructions have been sent to your e-mail address." whereas entering an invalid username returns the message: "Sorry, mcoates99912 is not recognized as a user name or an e-mail address." An attacker could use this weakness to manually identify valid account identifiers that may relate to particular users or admin accounts. Note: Since a captcha is enforced, an attacker would not be able to script an attack to enumerate high volumes of users. Recommended Remediation Return the same message to the user regardless if the submitted account is valid. This will eliminate the ability for an attacker to infer if an account is valid based on the returned message.
Drupal based version drumbeat.org has been retired. Bug no longer valid.