OFBiz OFBiz - Notifications

[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Nicolas Malin (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734336#comment-16734336 ]

Nicolas Malin commented on OFBIZ-4361:
--------------------------------------

Hello,

With all your remarks we started with Gil a merge/refactoring/breakinghead work.

Own think is oriented on :
 * KIS : Keep It Simple
 * have only one mail remind process (replace oldest)
 * try to use JWT

We create a branch on [own community workspace|https://labs.nereide.fr/10031/Communautaire/tree/51-implements-a-proper-way-to-reset-password-for-a-ofbiz-user-ofbiz-4361] if you want follow, where I currently commit by force a part on my patch and Denis's patch

With JWT we currentlty exchange on the possibility to extend the service engine to authorize a JWT token when on service definition we have a *auth="true"* that will be permit to less down the code modification and increase OFBiz capacity to offer some access on spotted service for spotted user ... thinking in process ...

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release Branch 17.12
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission.  By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to generate a dictionary attack against ofbiz because there is no capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Free forum by Nabble Edit this page