[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16059335#comment-16059335
]
Tobias Laufkötter commented on OFBIZ-4361:
------------------------------------------
{quote}One remaining case is when the user forgets his username/login. He will
(hopefully) always recall his email address so it would be cool if he could
provide his email address. If there is exactly one valid login associated with
this email address, the process can go on.
Else there should be some kind of message to call the administrator or
something.{quote}
Instead of prompting the user to contact an administrator a solution that would
not give away any information about the status of the given email address in
the system would be to send the request to contact an administrator per email.
This way a potential hacker would have no way of getting any information about
the data in the system.
Szenario 1:
The user has forgotten their password, but remembers the username.
# Klick "forgot password"
# provide username
# Message appears "An email with instructions to reclaim the account has been
send to the email adress provided by this account. If you didn't recieve any
email you may have used a different email address or mistyped your username"
# If the username is valid and has an email address an email is sent with a
link to choose a new password.
Szenario 2:
The user has forgotten their password and username but remembers the email
address.
# Klick "forgot password"
# provide email address
# Message appears "An email with instructions to reclaim the account has been
send to this email adress. If you didn't recieve any email you may have used a
different email address or mistyped it"
# If the email address is in the system and belongs
* to only one userlogin an email is sent with a link to choose a new password.
* to more than one userlogin an email is sent with instructions to contact an
administrator/customer service
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Trunk
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
