[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16583998#comment-16583998
]
Nicolas Malin commented on OFBIZ-4361:
--------------------------------------
I reviewed the patch and have some remark before commit it :
* when the user come to OFBiz after ask a new password, only the userName and
the custRequestId seems few regarding the possibility to reset a password. I'm
in favor to use a token build with the UserLogin and CustRequest involved in
this process. I already implemented it on submitted patch :)
[^OFBIZ-4361_ReworkPasswordLogic.patch]
* Also to prevent a possible massive attack, I propose to add a timeout for
rest password managed by security.properties. A user that request a new
password would be have 2 days (or less) to consume it after the custResquest
will be cancelled.
* the link on template email isn't good because use a webapp and control hard
coded break the dynamic url website system
{code:html}
form method="post"
action="${baseEcommerceSecureUrl}/partymgr/control/forgotPasswordReset?{code}
* I propose also, if we change the api screen on common to use only one screen
for forgotPassword in Themes.xml and analyse the context to select what to
display:
{code:xml}
<screen name="forgotPassword"/>
<screen name="forgotPasswordSetUser"/>
<screen name="forgotPasswordChooseValidation"/>
<screen name="forgotPasswordReset"/>{code}
by
{code:xml}
<screen name="forgotPassword"/>{code}
This offert more possibility for a theme to implement it.
On the latest patch I also added the dates to custRequest.
If you are agree with my previous proposals, I can implement them quickly
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Trunk
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
> OFBIZ-4361_ReworkPasswordLogic.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
