[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16931124#comment-16931124 ]
Jacques Le Roux commented on OFBIZ-4361: ---------------------------------------- BTW, those are still there, maybe useful: {code:xml} <screen name="ForgotPassword_step1"> <section> <widgets> <decorator-screen name="main-decorator" location="${parameters.mainDecoratorLocation}"> <decorator-section name="body"> <platform-specific> <html><html-template location="component://webpos/template/ForgotPassword.ftl"/></html> </platform-specific> </decorator-section> </decorator-screen> </widgets> </section> </screen> <screen name="ForgotPassword_step2"> <section> <actions> <set field="userLoginId" from-field="parameters.USERNAME"/> <entity-and entity-name="UserLoginSecurityQuestion" list="securityQuestions"> <field-map field-name="userLoginId" /> </entity-and> <set field="questionEnumId" from-field="securityQuestions[0].questionEnumId" /> <entity-one entity-name="Enumeration" value-field="securityQuestion"> <field-map field-name="enumId" from-field="questionEnumId"/> </entity-one> </actions> <widgets> <decorator-screen name="main-decorator" location="${parameters.mainDecoratorLocation}"> <decorator-section name="body"> <platform-specific> <html><html-template location="component://webpos/template/GetSecurityQuestion.ftl"/></html> </platform-specific> </decorator-section> </decorator-screen> </widgets> </section> </screen> {code} Their use was removed in [^OFBIZ-4361_Token-Password-Registration.patch] > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Jacques Le Roux > Priority: Major > Labels: security > Fix For: Upcoming Branch > > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)