[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721193#comment-16721193
]
Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------
Dennis, Michael,
Just a quick preliminary 1st pass, there is a lot to review in this patch!
You use a token different than a JWT. Your token is used in emails with a
verification URL. Did you consider to use a JWT as it exists in OFBiz?
It's one of the case where a JWT fits. Referring to
[https://github.com/dwyl/learn-json-web-tokens]
I read at the section:
{quote}"Use-cases for a JWT token in a url are:"
{quote}
that it fits for URL sents in an email. I can't say that there are security
issues with your solution and the JWT way is not much used in OFBiz yet. But
I'd advocate for an unique way to use validation tokens in OFBiz, and the JWT
is a well established standard.
With JWT the idea is [to securely store
tokens|https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage].
We already discussed that. I believe a DB is not the best place (and we see
that everyday, even all big companies have DBs compromised) . Disclaimer: I did
only a cursory review (actually did more read Dennis specifications) and I may
miss something. Are the features not possible w/o storing in DB? It seems to me
that a JWT token would fit. Of course a JWT itself does not guarantee security,
it all depends on the code around...
In any case please remember to remove the comments like
{quote}// MOD dbalkir
{quote}
from the patch.
This said it looks like a great step in the right direction, thanks for your
work guys!
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Release Branch 13.07, Release
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release
> Branch 17.12
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch,
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
