You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Benjamin Jugl (JIRA)" <ji...@apache.org> on 2018/04/09 10:30:00 UTC
[jira] [Comment Edited] (OFBIZ-4361) Any ecommerce user has the
ability to reset anothers password (including admin) via "Forget Your
Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430349#comment-16430349 ]
Benjamin Jugl edited comment on OFBIZ-4361 at 4/9/18 10:29 AM:
---------------------------------------------------------------
I just reviewed the patch and did some changes myself. I like the approach, but I think that we might consider using hashed tokens in place of the customerRequests, because the plain text URL might really be a security issue. (If you knew a username, you could generate a custRequest by sending the email and than have a script run through all custRequestIds...)
I renamed the requests as I found it really hard to read all the different "steps" of the process. And I changed the Error Messages. The programm will no longer give hints about valid or invalid usernames, as it was discussed in this issue.
was (Author: bjugl):
I just reviewed the patch and did some changes myself. I like the approach, but I think that we might consider creating tokens in place of the customerRequests, because the plain text URL might really be a security issue. (If you knew a username, you could generate a custRequest by sending the email and than have a script run through all custRequestIds...)
I renamed the requests as I found it really hard to read all the different "steps" of the process. And I changed the Error Messages. The programm will no longer give hints about valid or invalid usernames, as it was discussed in this issue.
> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Trunk
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)