[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

[Gaudin Pierre (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16397610#comment-16397610
 ] 

Gaudin Pierre commented on OFBIZ-4361:
--------------------------------------

I have just added a patch allowing to change password by adding a additional 
stage

Here the modification of the workflow 
  1 - Request of loss of password (by the user) 
  2 - Recording of a request of lost of password associated with the login (by 
the system) 
  3 - Send of an e-mail to confirm the request of change of password with a 
link containing the reference of the request to change of password (by the 
system) 
  4 - Connection of the user to the form to change the password and seized with 
a new password (by the user) 
  5 - Check that the login and the request are associated 
  6 - Recording of the new password (by the system)

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)