ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gaudin Pierre (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
Date Tue, 13 Mar 2018 20:34:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16397610#comment-16397610
] 

Gaudin Pierre commented on OFBIZ-4361:
--------------------------------------

I have just added a patch allowing to change password by adding a additional stage

Here the modification of the workflow 
  1 - Request of loss of password (by the user) 
  2 - Recording of a request of lost of password associated with the login (by the system)

  3 - Send of an e-mail to confirm the request of change of password with a link containing
the reference of the request to change of password (by the system) 
  4 - Connection of the user to the form to change the password and seized with a new password
(by the user) 
  5 - Check that the login and the request are associated 
  6 - Recording of the new password (by the system)

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget
Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another
users password, including "admin" without permission.  By simply entering "admin" and clicking
"Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to
generate a dictionary attack against ofbiz because there is no capta code required.  This
is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally
in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated
via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message