[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

Tue, 27 Aug 2019 02:11:35 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16916543#comment-16916543
 ] 

Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------

Wait, I did no try to change the password. If I do I get an error saying the 
password is incorrect and this error in log:
{noformat}
2019-08-27 09:51:28,180 |jsse-nio-8443-exec-5 |ControlServlet |T| 
[[[ecomseo::forgotpassword (Domain:https://localhost)] Request Done- 
total:3.146,since last([ecomseo::forgotp...):3.146]]
2019-08-27 09:52:12,131 |jsse-nio-8443-exec-1 |ControlEventListener |I| 
Creating session: hidden sessionId by default.
2019-08-27 09:52:12,132 |jsse-nio-8443-exec-1 |ControlServlet |T| 
[[[partymgr::passwordChange (Domain:https://localhost)] Request Begun, 
encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2019-08-27 09:52:12,132 |jsse-nio-8443-exec-1 |VisitHandler |I| Found visitorId 
[10000] in cookie
2019-08-27 09:52:12,163 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.002s, 265 requests, 109 views in 
file:/C:/projectsASF/ofbiz/applications/party/webapp/partymgr/WEB-INF/controller.xml
2019-08-27 09:52:12,185 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.0s, 49 requests, 21 views in 
file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
2019-08-27 09:52:12,206 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.0s, 0 requests, 0 views in 
file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/handlers-controller.xml
2019-08-27 09:52:12,226 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.0s, 30 requests, 13 views in 
file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/security-controller.xml
2019-08-27 09:52:12,255 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.0s, 4 requests, 0 views in 
file:/C:/projectsASF/ofbiz/applications/commonext/webapp/WEB-INF/controller.xml
2019-08-27 09:52:12,313 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller 
loaded: 0.003s, 379 requests, 154 views in 
file:/C:/projectsASF/ofbiz/applications/content/webapp/content/WEB-INF/controller.xml
2019-08-27 09:52:12,313 |jsse-nio-8443-exec-1 |RequestHandler |I| This is the 
first request in this visit. Hidden sessionId by default.
2019-08-27 09:52:12,360 |jsse-nio-8443-exec-1 |EntityCrypto |I| Decrypt with 
DES key from standard key name hash failed, trying old/funny variety of key 
name hash
2019-08-27 09:52:12,361 |jsse-nio-8443-exec-1 |LoginWorker |E| Current Password 
Decryption failed
org.apache.ofbiz.entity.EntityCryptoException: 
org.apache.ofbiz.entity.EntityCryptoException: key(Secret Key) not found in 
database (key(Secret Key) not found in database)
 at org.apache.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:143) 
~[main/:?]
 at org.apache.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:420) 
[main/:?]
 at 
org.apache.ofbiz.webapp.control.LoginWorker.checkLogin(LoginWorker.java:349) 
[main/:?]
 at 
org.apache.ofbiz.webapp.control.LoginWorker.extensionCheckLogin(LoginWorker.java:292)
 [main/:?]{noformat}
I'm checking that...

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 11.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release 
> Branch 17.12
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, 
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, 
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to