[
https://issues.apache.org/jira/browse/OFBIZ-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12843994#action_12843994
]
Jacques Le Roux commented on OFBIZ-2729:
----------------------------------------
I think Michele and Si are right on this. It's as simple as "More security is
better than less".
Michele did a good work explaining this
[here|http://antisnatchor.com/2009/07/19/about-logical-security-flaws]
On the other hand too bad no code was provided to OFBiz, is there anything
blocking Michele?
> special security should be required for setting passwords
> ----------------------------------------------------------
>
> Key: OFBIZ-2729
> URL: https://issues.apache.org/jira/browse/OFBIZ-2729
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 4.0, Release Branch 9.04, SVN trunk
> Reporter: Si Chen
>
> This issue was first brought up here:
> https://sourceforge.net/forum/message.php?msg_id=7496877
> Basically, any user with PARTYMGR_CREATE/UPDATE permissions can set the
> password of another user. This creates opportunity for Malfeasance. For
> example, a customer service rep could set the password of the admin user.
> A simple solution would be to create a new security permission
> PARTYMGR_PASSWD and require that permission for setting or changing
> password of a different user, instead of using PARTYMGR_UPDATE.
> PARTYMGR_PASSWD could then be associated with the administrative user.
> An alternative is to use the SECURITY_UPDATE permission instead of
> PARTYMGR_UPDATE or a new PARTYMGR_PASSWD permission.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
