You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Deepak Dixit (JIRA)" <ji...@apache.org> on 2017/09/06 10:39:00 UTC

[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

    [ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16155171#comment-16155171 ] 

Deepak Dixit commented on OFBIZ-4361:
-------------------------------------

_Why not keep it simple and store this information on the user login, just like the other informations like requirePasswordChange, disabledDateTime etc.?_

I think if we add generic entity like Token then it will be useful for other purposes as well,  as [~tlaufkoetter] suggested. 
Like  order view  on e-commerce end for anonymous user and many for other scenario. 


> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission.  By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also possible to generate a dictionary attack against ofbiz because there is no capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)