From notifications-return-27946-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Fri Aug 23 12:22:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 0100A180637 for ; Fri, 23 Aug 2019 14:22:01 +0200 (CEST) Received: (qmail 53396 invoked by uid 500); 23 Aug 2019 12:22:01 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 53381 invoked by uid 99); 23 Aug 2019 12:22:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Aug 2019 12:22:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C4081E30A4 for ; Fri, 23 Aug 2019 12:22:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 3D627780A67 for ; Fri, 23 Aug 2019 12:22:00 +0000 (UTC) Date: Fri, 23 Aug 2019 12:22:00 +0000 (UTC) From: "Nicolas Malin (Jira)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-4361: --------------------------------- Attachment: OFBIZ-4361_Token-Password-Registration.patch > Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release Branch 17.12 > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Jacques Le Roux > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)