[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16916543#comment-16916543 ]
Jacques Le Roux commented on OFBIZ-4361: ---------------------------------------- Wait, I did no try to change the password. If I do I get an error saying the password is incorrect and this error in log: {noformat} 2019-08-27 09:51:28,180 |jsse-nio-8443-exec-5 |ControlServlet |T| [[[ecomseo::forgotpassword (Domain:https://localhost)] Request Done- total:3.146,since last([ecomseo::forgotp...):3.146]] 2019-08-27 09:52:12,131 |jsse-nio-8443-exec-1 |ControlEventListener |I| Creating session: hidden sessionId by default. 2019-08-27 09:52:12,132 |jsse-nio-8443-exec-1 |ControlServlet |T| [[[partymgr::passwordChange (Domain:https://localhost)] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] 2019-08-27 09:52:12,132 |jsse-nio-8443-exec-1 |VisitHandler |I| Found visitorId [10000] in cookie 2019-08-27 09:52:12,163 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.002s, 265 requests, 109 views in file:/C:/projectsASF/ofbiz/applications/party/webapp/partymgr/WEB-INF/controller.xml 2019-08-27 09:52:12,185 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.0s, 49 requests, 21 views in file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml 2019-08-27 09:52:12,206 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.0s, 0 requests, 0 views in file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/handlers-controller.xml 2019-08-27 09:52:12,226 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.0s, 30 requests, 13 views in file:/C:/projectsASF/ofbiz/framework/common/webcommon/WEB-INF/security-controller.xml 2019-08-27 09:52:12,255 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.0s, 4 requests, 0 views in file:/C:/projectsASF/ofbiz/applications/commonext/webapp/WEB-INF/controller.xml 2019-08-27 09:52:12,313 |jsse-nio-8443-exec-1 |ConfigXMLReader |I| controller loaded: 0.003s, 379 requests, 154 views in file:/C:/projectsASF/ofbiz/applications/content/webapp/content/WEB-INF/controller.xml 2019-08-27 09:52:12,313 |jsse-nio-8443-exec-1 |RequestHandler |I| This is the first request in this visit. Hidden sessionId by default. 2019-08-27 09:52:12,360 |jsse-nio-8443-exec-1 |EntityCrypto |I| Decrypt with DES key from standard key name hash failed, trying old/funny variety of key name hash 2019-08-27 09:52:12,361 |jsse-nio-8443-exec-1 |LoginWorker |E| Current Password Decryption failed org.apache.ofbiz.entity.EntityCryptoException: org.apache.ofbiz.entity.EntityCryptoException: key(Secret Key) not found in database (key(Secret Key) not found in database) at org.apache.ofbiz.entity.util.EntityCrypto.decrypt(EntityCrypto.java:143) ~[main/:?] at org.apache.ofbiz.webapp.control.LoginWorker.login(LoginWorker.java:420) [main/:?] at org.apache.ofbiz.webapp.control.LoginWorker.checkLogin(LoginWorker.java:349) [main/:?] at org.apache.ofbiz.webapp.control.LoginWorker.extensionCheckLogin(LoginWorker.java:292) [main/:?]{noformat} I'm checking that... > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Jacques Le Roux > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)