[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16583998#comment-16583998 ]
Nicolas Malin commented on OFBIZ-4361:
--------------------------------------
I reviewed the patch and have some remark before commit it :
* when the user come to OFBiz after ask a new password, only the userName and the custRequestId seems few regarding the possibility to reset a password. I'm in favor to use a token build with the UserLogin and CustRequest involved in this process. I already implemented it on submitted patch :) [^OFBIZ-4361_ReworkPasswordLogic.patch]
* Also to prevent a possible massive attack, I propose to add a timeout for rest password managed by security.properties. A user that request a new password would be have 2 days (or less) to consume it after the custResquest will be cancelled.
* the link on template email isn't good because use a webapp and control hard coded break the dynamic url website system
{code:html}
form method="post" action="${baseEcommerceSecureUrl}/partymgr/control/forgotPasswordReset?{code}
* I propose also, if we change the api screen on common to use only one screen for forgotPassword in Themes.xml and analyse the context to select what to display:
{code:xml}
<screen name="forgotPassword"/>
<screen name="forgotPasswordSetUser"/>
<screen name="forgotPasswordChooseValidation"/>
<screen name="forgotPasswordReset"/>{code}
by
{code:xml}
<screen name="forgotPassword"/>{code}
This offert more possibility for a theme to implement it.
On the latest patch I also added the dates to custRequest.
If you are agree with my previous proposals, I can implement them quickly
> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4361> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Trunk
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
