[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Thu, 22 Jun 2017 02:39:29 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059053#comment-16059053
 ] 

Michael Brohl commented on OFBIZ-4361:
--------------------------------------

The downsides of a security question are:
* the user must have set a question
* the user can forget the answer to the question too
* it's vulnerable if someone can guess the answer

I would prefer an easy and common way to reset the password:
# user clicks "reset password" (or "forgot password")
# user provides his email address
# OFBiz generates a hashed link for the password reset and sends an email to 
the provided address. This ensures that the right assignee can reset the 
password. The hash can be stored in the user login and will expire.
# the user either ignores the mail - nothing happens or he clicks the link and 
gets a two-field form to set and confirm his new password.

What do you think?

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to