ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tobias Laufkötter (JIRA) <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
Date Thu, 22 Jun 2017 13:19:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059335#comment-16059335
] 

Tobias Laufkötter commented on OFBIZ-4361:
------------------------------------------

{quote}One remaining case is when the user forgets his username/login. He will (hopefully)
always recall his email address so it would be cool if he could provide his email address.
If there is exactly one valid login associated with this email address, the process can go
on.

Else there should be some kind of message to call the administrator or something.{quote}
Instead of prompting the user to contact an administrator a solution that would not give away
any information about the status of the given email address in the system would be to send
the request to contact an administrator per email. This way a potential hacker would have
no way of getting any information about the data in the system. 

Szenario 1:
The user has forgotten their password, but remembers the username. 
# Klick "forgot password" 
# provide username 
# Message appears "An email with instructions to reclaim the account has been send to the
email adress provided by this account. If you didn't recieve any email you may have used a
different email address or mistyped your username"
#  If the username is valid and has an email address an email is sent with a link to choose
a new password.

Szenario 2:
The user has forgotten their password and username but remembers the email address.
# Klick "forgot password"
# provide email address
# Message appears "An email with instructions to reclaim the account has been send to this
email adress. If you didn't recieve any email you may have used a different email address
or mistyped it"
# If the email address is in the system and belongs
* to only one userlogin an email is sent with a link to choose a new password.
* to more than one userlogin an email is sent with instructions to contact an administrator/customer
service

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget
Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another
users password, including "admin" without permission.  By simply entering "admin" and clicking
"Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to
generate a dictionary attack against ofbiz because there is no capta code required.  This
is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally
in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated
via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message