[ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924551#comment-16924551
 ] 

Jacques Le Roux edited comment on OFBIZ-4361 at 9/8/19 8:21 AM:
----------------------------------------------------------------

While working on OFBIZ-10751 I re-read comments I made in OFBIZ-9833 & 
OFBIZ-10307. I stumbled upon 
https://github.com/auth0/java-jwt#using-a-keyprovider. though I did not yet 
clarified all the points, now that we use {{com.auth0:java-jwt:3.8.2}}, I think 
we should consider to do something like in the example demonstrated in this 
page but as suggested there:
bq. "with a simple key rotation using JWKS, try the jwks-rsa-java library."

I created OFBIZ-11187 for that


was (Author: jacques.le.roux):
While working on OFBIZ-10751 I re-read comments I made in OFBIZ-9833 & 
OFBIZ-10307. I stumbled upon 
https://github.com/auth0/java-jwt#using-a-keyprovider. though I did not yet 
clarified all the points, now that we use {{com.auth0:java-jwt:3.8.2}}, I think 
we should consider to do something like in the example demonstrated in this 
page but as suggested there:
bq. "with a simple key rotation using JWKS, try the jwks-rsa-java library."

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Release Branch 11.04, Release Branch 13.07, Release 
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release 
> Branch 17.12
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Jacques Le Roux
>            Priority: Major
>              Labels: security
>             Fix For: Upcoming Branch
>
>         Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, 
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, 
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to