[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

[BJ Freeman (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080073#comment-13080073
 ] 

BJ Freeman commented on OFBIZ-4361:
-----------------------------------

as was addressed in the email thread on the user mailing list, forget password 
resets the password if passwords are set to be encrypted
so if someone maliciously puts in a forget password the user is blocked till 
they fnd the email and complete the process.
Captcha was suggested
http://svn.apache.org/viewvc?view=revision&revision=735965
could be implement but won't stop a person.
So If I understand Sam, The actual change password should happen on server. 
then email should have a https: URL to the server with a unique Key to identify 
the user.
The Key is good till the user activated it or it times out.
This way no password is effected till the user goes to the URL..


> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, SVN trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Priority: Critical
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira