[jira] [Created] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
Locked
[jira] [Created] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
 
|
Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
---------------------------------------------------------------------------------------------------------- Key: OFBIZ-4361 URL: https://issues.apache.org/jira/browse/OFBIZ-4361 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Release Branch 11.04, SVN trunk Environment: Ubuntu and others Reporter: mz4wheeler Priority: Critical Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. The following occurred: A new password has been created and sent to you. Please check your Email. This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079784#comment-13079784 ] Deepak Dixit commented on OFBIZ-4361: ------------------------------------- We can also ask for the email address for forgot password, If email address matches then only we can send the new password to the user. > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, SVN trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Priority: Critical > Labels: security > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13079787#comment-13079787 ] Sam Hamilton commented on OFBIZ-4361: ------------------------------------- I would suggest that the forgot password emails the user a one time url to verify that they want to change their password and only after the link has been clicked are you able to change the password, I wouldn't have it email a password but rather give the user the option to set their own on the server. Its slightly more secure as email is not encrypted and the password could be intercepted and the new password page could be forced to go over SSL. I would prefer to keep the forgot password form as simple as possible so either ask for their username or their password but not both. I think that most people using the ecommerce app probably set their users username to their email address anyway. > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, SVN trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Priority: Critical > Labels: security > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080073#comment-13080073 ] BJ Freeman commented on OFBIZ-4361: ----------------------------------- as was addressed in the email thread on the user mailing list, forget password resets the password if passwords are set to be encrypted so if someone maliciously puts in a forget password the user is blocked till they fnd the email and complete the process. Captcha was suggested http://svn.apache.org/viewvc?view=revision&revision=735965 could be implement but won't stop a person. So If I understand Sam, The actual change password should happen on server. then email should have a https: URL to the server with a unique Key to identify the user. The Key is good till the user activated it or it times out. This way no password is effected till the user goes to the URL.. > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, SVN trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Priority: Critical > Labels: security > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080082#comment-13080082 ] BJ Freeman commented on OFBIZ-4361: ----------------------------------- as some history I have five instances of ofbiz running including one demo. I have yet, in 4 years, to have this happen. > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, SVN trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Priority: Critical > Labels: security > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |