I suppose that
in security.properties password.encrypt=true and my username is "matarazzoa" I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword put my username matarazzoa and click "email password". Ofbiz system will change my password in userLogin entity and will send this new password to my email address Has another user changed my password???? Am I right? Thank you. |
Administrator
|
Yes, in *your* mailx box. Is this a problem for you ?
You can't prevent that if you want to give some flexibility. "You can't have the cake and eat it" ;o) Jacques From: "Angelo Matarazzo" <[hidden email]> > I suppose that > in security.properties > password.encrypt=true > and my username is "matarazzoa" > > I suppose that an ofbiz user knows my username and > in this screen > https://demo904.ofbiz.org/ordermgr/control/forgotPassword > put my username matarazzoa and click "email password". > > Ofbiz system will change my password in userLogin entity and will send this > new password to my email address > > Has another user changed my password???? > > Am I right? > > Thank you. > > > -- > View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
An alternative method could be sending a mail with a link that let the
user to have access to the system or just to the change password feature. May be something similar to the ExternalLoginKey. In such a way the password cannot be changed by other people but the one that can access to the registered mailbox. -Bruno 2009/10/9 Jacques Le Roux <[hidden email]>: > Yes, in *your* mailx box. Is this a problem for you ? > You can't prevent that if you want to give some flexibility. > "You can't have the cake and eat it" ;o) > > Jacques > > From: "Angelo Matarazzo" <[hidden email]> >> >> I suppose that in security.properties password.encrypt=true >> and my username is "matarazzoa" >> >> I suppose that an ofbiz user knows my username and in this screen >> https://demo904.ofbiz.org/ordermgr/control/forgotPassword >> put my username matarazzoa and click "email password". >> >> Ofbiz system will change my password in userLogin entity and will send >> this >> new password to my email address >> >> Has another user changed my password???? >> >> Am I right? >> >> Thank you. >> >> >> -- >> View this message in context: >> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html >> Sent from the OFBiz - User mailing list archive at Nabble.com. >> > > |
In reply to this post by Jacques Le Roux
Jacques,
I think that Angelo is alluding to is that the current method allows a malicious prankster to create something of a denial of service attack against a registered user. It wouldn't be very difficult to script a 'bot that constantly resets a user's password. A more secure method would work along the following lines: 1. Users enters username on the forgotPassword page and submits the form. 2. System emails a "reset password" link to the user's email. Link should contain a serialized request id. Serialized request id should be implemented such a manner that it can only be requested a limited number of times within a fairly short time period (say, 3 times within 30 mins of submitting the forgotPassword form). 3. User retrieves the email and clicks on the "reset password link". 4. Users arrives at the "reset password" form within OFBiz and is asked to reset password. They may also be challenged to answer a security question (which adds some additional security in case the email account has been compromised). If the "reset password link" has been clicked too many times within the expiration period (indicates a possible hacking attempt), clicked beyond the expiration timestamp (link is stale) or has already been used to successfully reset the account password, the system should present the user with an error message. Mike On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote: > Yes, in *your* mailx box. Is this a problem for you ? > You can't prevent that if you want to give some flexibility. > "You can't have the cake and eat it" ;o) > > Jacques > > From: "Angelo Matarazzo" <[hidden email]> >> I suppose that in security.properties password.encrypt=true >> and my username is "matarazzoa" >> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword >> put my username matarazzoa and click "email password". >> Ofbiz system will change my password in userLogin entity and will >> send this >> new password to my email address >> Has another user changed my password???? >> Am I right? >> Thank you. >> -- >> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html >> Sent from the OFBiz - User mailing list archive at Nabble.com. >> > |
Administrator
|
Hi Mike ,
Yes, sure, feel free to open a Jira (the description below should be sufficient, of course a patch highly appreciated) Thanks JAcques From: "Mike Rose" <[hidden email]> > Jacques, > > I think that Angelo is alluding to is that the current method > allows a malicious prankster to create something of a denial of > service attack against a registered user. It wouldn't be very > difficult to script a 'bot that constantly resets a user's password. > A more secure method would work along the following lines: > > 1. Users enters username on the forgotPassword page and submits the > form. > > 2. System emails a "reset password" link to the user's email. > Link should contain a serialized request id. > Serialized request id should be implemented such a manner that it > can only be requested a limited number of times within a fairly short > time period (say, 3 times within 30 mins of submitting the > forgotPassword form). > > 3. User retrieves the email and clicks on the "reset password link". > > 4. Users arrives at the "reset password" form within OFBiz and is > asked to reset password. They may also be challenged to answer a > security question (which adds some additional security in case the > email account has been compromised). > If the "reset password link" has been clicked too many times within > the expiration period (indicates a possible hacking attempt), clicked > beyond the expiration timestamp (link is stale) or has already been > used to successfully reset the account password, the system should > present the user with an error message. > > Mike > > > On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote: > >> Yes, in *your* mailx box. Is this a problem for you ? >> You can't prevent that if you want to give some flexibility. >> "You can't have the cake and eat it" ;o) >> >> Jacques >> >> From: "Angelo Matarazzo" <[hidden email]> >>> I suppose that in security.properties password.encrypt=true >>> and my username is "matarazzoa" >>> I suppose that an ofbiz user knows my username and in this screen https://demo904.ofbiz.org/ordermgr/control/forgotPassword >>> put my username matarazzoa and click "email password". >>> Ofbiz system will change my password in userLogin entity and will >>> send this >>> new password to my email address >>> Has another user changed my password???? >>> Am I right? >>> Thank you. >>> -- >>> View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html >>> Sent from the OFBiz - User mailing list archive at Nabble.com. >>> >> > |
Hi jacques,
I wanted to know how "email password" works ad if ofbiz already prevents this DOS attack. Regards Angelo.
|
Administrator
|
In reply to this post by Jacques Le Roux
Hi Angelo,
I don't think OFBiz currently prevent any DDOS attack. And you may know that in some case it *very hard* to prevent them anyway... It's not the goal of OFBiz to prevent DDOS attacks, but I agree that in this peculiar case we could do better (sending a confirmation email sounds like the better method, we could use captcha also, etc.) Feel free to open a Jira issue under https://issues.apache.org/jira/browse/OFBIZ-1525 using all the relevant comments from this thread. Of course, as ever, a patch would be highly appreciated... Thanks Jacques From: "Angelo Matarazzo" <[hidden email]> > > Hi jacques, > I wanted to know how "email password" works ad if ofbiz already prevents > this DOS attack. > Regards Angelo. > > jacques.le.roux wrote: >> >> Hi Mike , >> >> Yes, sure, feel free to open a Jira (the description below should be >> sufficient, of course a patch highly appreciated) >> >> Thanks >> >> JAcques >> >> From: "Mike Rose" <[hidden email]> >>> Jacques, >>> >>> I think that Angelo is alluding to is that the current method >>> allows a malicious prankster to create something of a denial of >>> service attack against a registered user. It wouldn't be very >>> difficult to script a 'bot that constantly resets a user's password. >>> A more secure method would work along the following lines: >>> >>> 1. Users enters username on the forgotPassword page and submits the >>> form. >>> >>> 2. System emails a "reset password" link to the user's email. >>> Link should contain a serialized request id. >>> Serialized request id should be implemented such a manner that it >>> can only be requested a limited number of times within a fairly short >>> time period (say, 3 times within 30 mins of submitting the >>> forgotPassword form). >>> >>> 3. User retrieves the email and clicks on the "reset password link". >>> >>> 4. Users arrives at the "reset password" form within OFBiz and is >>> asked to reset password. They may also be challenged to answer a >>> security question (which adds some additional security in case the >>> email account has been compromised). >>> If the "reset password link" has been clicked too many times within >>> the expiration period (indicates a possible hacking attempt), clicked >>> beyond the expiration timestamp (link is stale) or has already been >>> used to successfully reset the account password, the system should >>> present the user with an error message. >>> >>> Mike >>> >>> >>> On Oct 9, 2009, at 5:51 PM, Jacques Le Roux wrote: >>> >>>> Yes, in *your* mailx box. Is this a problem for you ? >>>> You can't prevent that if you want to give some flexibility. >>>> "You can't have the cake and eat it" ;o) >>>> >>>> Jacques >>>> >>>> From: "Angelo Matarazzo" <[hidden email]> >>>>> I suppose that in security.properties password.encrypt=true >>>>> and my username is "matarazzoa" >>>>> I suppose that an ofbiz user knows my username and in this screen >>>>> https://demo904.ofbiz.org/ordermgr/control/forgotPassword >>>>> put my username matarazzoa and click "email password". >>>>> Ofbiz system will change my password in userLogin entity and will >>>>> send this >>>>> new password to my email address >>>>> Has another user changed my password???? >>>>> Am I right? >>>>> Thank you. >>>>> -- >>>>> View this message in context: >>>>> http://www.nabble.com/forgot-password-and-email-password-tp25824734p25824734.html >>>>> Sent from the OFBiz - User mailing list archive at Nabble.com. >>>>> >>>> >>> >> >> >> > > -- > View this message in context: http://www.nabble.com/forgot-password-and-email-password-tp25824734p25846328.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Free forum by Nabble | Edit this page |