[ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-4361:
-----------------------------------
    Comment: was deleted

(was: Unsure, after Nicolas fixing OFBIZ-11175, I simply dit a svn up in a 3rd 
console and the error did not display in the console where OFBiz run 

{noformat}
Waiting for changes to input files of tasks... (ctrl-d then enter to exit)
modified: 
C:\projectsASF\ofbiz\applications\product\src\main\java\org\apache\ofbiz\product\category\CategoryServices.java
Change detected, executing build...
{noformat}

But then got another error due to r1865920 in OFBIZ-11164
{noformat}
2019-08-26 12:07:16,523 |OFBiz-JobQueue-1     |GenericServiceJob             
|E| Async-Service failed.
org.apache.ofbiz.service.GenericServiceException: Error running simple method 
[sendEmailDated] in XML file 
[component://party/minilang/communication/CommunicationEventServices.xml]:  
(Could not find SimpleMethod sendEmailDated in XML doc
ument in resource: 
component://party/minilang/communication/CommunicationEventServices.xml)
        at 
org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:81)
 ~[main/:?]
        at 
org.apache.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:48)
 ~[main/:?]
        at 
org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:415) 
~[main/:?]
        at 
org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:240) 
~[main/:?]
        at 
org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88)
 ~[main/:?]
        at 
org.apache.ofbiz.service.job.GenericServiceJob.exec(GenericServiceJob.java:70) 
[main/:?]
        at org.apache.ofbiz.service.job.AbstractJob.run(AbstractJob.java:87) 
[main/:?]
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
[?:1.8.0_202]
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
[?:1.8.0_202]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202]
Caused by: org.apache.ofbiz.minilang.MiniLangException: Could not find 
SimpleMethod sendEmailDated in XML document in resource: 
component://party/minilang/communication/CommunicationEventServices.xml
        at 
org.apache.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:272) 
~[main/:?]
        at 
org.apache.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:293) 
~[main/:?]
        at 
org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:79)
 ~[main/:?]
{noformat}
So yes there are still discrepancies between dynamic and not resources and it's 
hard to know when. This said it's quite a convenient stuff and I'll stop there 
:D)

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 11.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release 
> Branch 17.12
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, 
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, 
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to