OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059128#comment-16059128 ]

Michael Brohl commented on OFBIZ-4361:
--------------------------------------

??Verify email before sending link to provided email address, means provided email will be associated with user login party.??

Yes, we should check if a user login with this email address exists, else display a message.

??We can use WorkEffort or better design to store the token, workEffort have field to set start/end date.??

Why not keep it simple and store this information on the user login, just like the other informations like requirePasswordChange, disabledDateTime etc.?

??On click on reset password it does not set the requirePasswordChagne on login, it simply send an email and on click on email link user will be able to re-set password.??

Yes, that's what I have in mind: no automatic password generation and mailing it through the world, the new password will only be typed in the application. That is the safest way.

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission.  By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to generate a dictionary attack against ofbiz because there is no capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Free forum by Nabble Edit this page