ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
Date Tue, 27 Aug 2019 12:18:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16916658#comment-16916658
] 

Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------

About concerns found in this issue:

In description
{quote}
The following occurred:
A new password has been created and sent to you. Please check your Email.
This now forces the user of the ERP to change their password. 
{quote}
With this patch, nobody is forced to do anything. People just need to ignore the email. So
I think we should add a note for users, like:{color:#DE350B} "Please ignore this email if
you did not request a password change". To be added to with "This link can be used only once"
{color}
{quote}
It is also possible to generate a dictionary attack against ofbiz because there is no capta
code required. This is serious security risk.
This feature could be reduced to a certain sub-set of users, whose login name is optionally
in the format of an email address, and maybe require a captcha code to prevent dictionary
attacks.
For example, limit the feature to role "Customer" of type "Person" which was generated via
an ecommerce transaction.
{quote}
I'm not sure it's a real security issue, you can always do that against any login page. But
this is an interesting point. I don't think it has been implemented with current patch.

> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget
Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 11.04, Release Branch 13.07, Release Branch 14.12,
Trunk, Release Branch 15.12, Release Branch 16.11, Release Branch 17.12
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another
users password, including "admin" without permission.  By simply entering "admin" and clicking
"Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to
generate a dictionary attack against ofbiz because there is no capta code required.  This
is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally
in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated
via an ecommerce transaction.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message