ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Jugl (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
Date Mon, 09 Apr 2018 10:30:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430349#comment-16430349
] 

Benjamin Jugl edited comment on OFBIZ-4361 at 4/9/18 10:29 AM:
---------------------------------------------------------------

I just reviewed the patch and did some changes myself. I like the approach, but I think that
we might consider using hashed tokens in place of the customerRequests, because the plain
text URL might really be a security issue. (If you knew a username, you could generate a custRequest
by sending the email and than have a script run through all custRequestIds...)

I renamed the requests as I found it really hard to read all the different "steps" of the
process. And I changed the Error Messages. The programm will no longer give hints about valid
or invalid usernames, as it was discussed in this issue.


was (Author: bjugl):
I just reviewed the patch and did some changes myself. I like the approach, but I think that
we might consider creating tokens in place of the customerRequests, because the plain text
URL might really be a security issue. (If you knew a username, you could generate a custRequest
by sending the email and than have a script run through all custRequestIds...)

I renamed the requests as I found it really hard to read all the different "steps" of the
process. And I changed the Error Messages. The programm will no longer give hints about valid
or invalid usernames, as it was discussed in this issue.

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget
Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another
users password, including "admin" without permission.  By simply entering "admin" and clicking
"Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to
generate a dictionary attack against ofbiz because there is no capta code required.  This
is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally
in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated
via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message