[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16916658#comment-16916658 ]
Jacques Le Roux commented on OFBIZ-4361: ---------------------------------------- About concerns found in this issue: In description {quote} The following occurred: A new password has been created and sent to you. Please check your Email. This now forces the user of the ERP to change their password. {quote} With this patch, nobody is forced to do anything. People just need to ignore the email. So I think we should add a note for users, like:{color:#DE350B} "Please ignore this email if you did not request a password change". To be added to with "This link can be used only once" {color} {quote} It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a captcha code to prevent dictionary attacks. For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. {quote} I'm not sure it's a real security issue, you can always do that against any login page. But this is an interesting point. I don't think it has been implemented with current patch. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Jacques Le Roux > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)