From notifications-return-17515-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Mon Apr 9 12:26:09 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 80025180645 for ; Mon, 9 Apr 2018 12:26:08 +0200 (CEST) Received: (qmail 31400 invoked by uid 500); 9 Apr 2018 10:26:07 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 31386 invoked by uid 99); 9 Apr 2018 10:26:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Apr 2018 10:26:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 192ACC1B1F for ; Mon, 9 Apr 2018 10:26:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id mrEIPJu7g_Lb for ; Mon, 9 Apr 2018 10:26:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id A5F0960F5E for ; Mon, 9 Apr 2018 10:26:04 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 3CC41E0B6D for ; Mon, 9 Apr 2018 10:26:03 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1E70A24372 for ; Mon, 9 Apr 2018 10:26:01 +0000 (UTC) Date: Mon, 9 Apr 2018 10:26:01 +0000 (UTC) From: "Benjamin Jugl (JIRA)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430349#comment-16430349 ] Benjamin Jugl commented on OFBIZ-4361: -------------------------------------- I just reviewed the patch and did some changes myself. I like the approach, but I think that we might consider creating tokens in place of the customerRequests, because the plain text URL might really be a security issue. (If you knew a username, you could generate a custRequest by sending the email and than have a script run through all custRequestIds...) I renamed the requests as I found it really hard to read all the different "steps" of the process. And I changed the Error Messages. The programm will no longer give hints about valid or invalid usernames, as it was discussed in this issue. > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, Trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Michael Brohl > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)