[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16931124#comment-16931124
]
Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------
BTW, those are still there, maybe useful:
{code:xml}
<screen name="ForgotPassword_step1">
<section>
<widgets>
<decorator-screen name="main-decorator"
location="${parameters.mainDecoratorLocation}">
<decorator-section name="body">
<platform-specific>
<html><html-template
location="component://webpos/template/ForgotPassword.ftl"/></html>
</platform-specific>
</decorator-section>
</decorator-screen>
</widgets>
</section>
</screen>
<screen name="ForgotPassword_step2">
<section>
<actions>
<set field="userLoginId" from-field="parameters.USERNAME"/>
<entity-and entity-name="UserLoginSecurityQuestion"
list="securityQuestions">
<field-map field-name="userLoginId" />
</entity-and>
<set field="questionEnumId"
from-field="securityQuestions[0].questionEnumId" />
<entity-one entity-name="Enumeration"
value-field="securityQuestion">
<field-map field-name="enumId" from-field="questionEnumId"/>
</entity-one>
</actions>
<widgets>
<decorator-screen name="main-decorator"
location="${parameters.mainDecoratorLocation}">
<decorator-section name="body">
<platform-specific>
<html><html-template
location="component://webpos/template/GetSecurityQuestion.ftl"/></html>
</platform-specific>
</decorator-section>
</decorator-screen>
</widgets>
</section>
</screen>
{code}
Their use was removed in [^OFBIZ-4361_Token-Password-Registration.patch]
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 11.04, Release Branch 13.07, Release
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release
> Branch 17.12
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch,
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
