Username Enumeration Possible from Forgot Password Page

RESOLVED WONTFIX

Status

Websites Graveyard
www.drumbeat.org
RESOLVED WONTFIX
8 years ago
3 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:auth][drumbeat-security])

Issue

It is possible to enumerate valid usernames from the forgot password page (https://www.drumbeat.org/user/password). This is possible because entering a valid username will result in the message:
  "Further instructions have been sent to your e-mail address."
whereas entering an invalid username returns the message:
  "Sorry, mcoates99912 is not recognized as a user name or an e-mail address."

An attacker could use this weakness to manually identify valid account identifiers that may relate to particular users or admin accounts.  Note: Since a captcha is enforced, an attacker would not be able to script an attack to enumerate high volumes of users.


Recommended Remediation

Return the same message to the user regardless if the submitted account is valid.  This will eliminate the ability for an attacker to infer if an account is valid based on the returned message.
Blocks: 570234
Drupal based version drumbeat.org has been retired. Bug no longer valid.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WONTFIX
Group: websites-security
(Assignee)

Updated

3 years ago
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.