Return-Path: <notifications-return-9894-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 5C4DF200CAF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 22 Jun 2017 13:57:04 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 5AFE5160BF1; Thu, 22 Jun 2017 11:57:04 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 9A999160BE5
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 22 Jun 2017 13:57:03 +0200 (CEST)
Received: (qmail 7516 invoked by uid 500); 22 Jun 2017 11:57:02 -0000
Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:notifications@ofbiz.apache.org>
List-Id: <notifications.ofbiz.apache.org>
Reply-To: dev@ofbiz.apache.org
Delivered-To: mailing list notifications@ofbiz.apache.org
Received: (qmail 7507 invoked by uid 99); 22 Jun 2017 11:57:02 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Jun 2017 11:57:02 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 283E21927EF
	for <notifications@ofbiz.apache.org>; Thu, 22 Jun 2017 11:57:02 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id TXrLVVRiy63k for <notifications@ofbiz.apache.org>;
	Thu, 22 Jun 2017 11:57:01 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id F33395FC99
	for <notifications@ofbiz.apache.org>; Thu, 22 Jun 2017 11:57:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 790BCE0A64
	for <notifications@ofbiz.apache.org>; Thu, 22 Jun 2017 11:57:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 0FC3021941
	for <notifications@ofbiz.apache.org>; Thu, 22 Jun 2017 11:57:00 +0000 (UTC)
Date: Thu, 22 Jun 2017 11:57:00 +0000 (UTC)
From: "Jacques Le Roux (JIRA)" <jira@apache.org>
To: notifications@ofbiz.apache.org
Message-ID: <JIRA.12517989.1312511360000.80027.1498132620063@Atlassian.JIRA>
In-Reply-To: <JIRA.12517989.1312511360000@Atlassian.JIRA>
References: <JIRA.12517989.1312511360000@Atlassian.JIRA> <JIRA.12517989.1312511360150@jira-lw-us.apache.org>
Subject: [jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability
 to reset anothers password (including admin) via "Forget Your Password"
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 22 Jun 2017 11:57:04 -0000


    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059235#comment-16059235 ] 

Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------

+1 for sending an email with a link to verify
-1 to check emails for reasons Tobias rightly explained (security)

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission.  By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to generate a dictionary attack against ofbiz because there is no capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)