[jira] [Commented] (OFBIZ-11038) Unable to view a PartyContent on view profile page of a party
[ https://issues.apache.org/jira/browse/OFBIZ-11038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16925374#comment-16925374 ] Pawan Verma commented on OFBIZ-11038: - Thanks, Jacques! > Unable to view a PartyContent on view profile page of a party > - > > Key: OFBIZ-11038 > URL: https://issues.apache.org/jira/browse/OFBIZ-11038 > Project: OFBiz > Issue Type: Bug > Components: party >Affects Versions: Trunk >Reporter: Devanshu Vyas >Assignee: Pawan Verma >Priority: Minor > Fix For: 17.12.01, Release Branch 16.11, 18.12.01 > > Attachments: Error_message.png, OFBIZ-11038.patch, > PartyContent_View.png > > > * Go to [partymgr|https://demo-trunk.ofbiz.apache.org/partymgr/control/main] > * Search any party(e.g. DemoCustomer) > * Go to the [party > profile|https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoCustomer] > page > * Go to Party Content section on the page and upload a file > * Select a purpose(Logo Image Url) and click on the Upload button > * After uploading success message will be displayed as Party data object > created successfully. > * Then view button will be displayed under the Party Content section, click > on the view button to view the image uploaded. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16925154#comment-16925154 ] Jacques Le Roux commented on OFBIZ-4361: As Pierre Smits initially reported bq. another issue is that to change their passwords ecommerce clients need to get access to partymngr. I think that's not secure enough and restriction of the possible actions (eg only allowed to reset password) would be a good idea... It should be noted that it was already like that before this issue. Nicolas answered: bq. By defaut the user change on partymgr because we ask change password from framework but for ecommerce, he need to obtains a link to ecommerce, finally he needs to obtains a link where he authorise to connect. The solution that I implement was to offert a temporal authorisation to ofbiz access with the current user permission, not more. I created OFBIZ-11188 for that > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Fix For: Upcoming Branch > > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Created] (OFBIZ-11188) Forgot Password feature in ecommerce needs an access to partymngr
Jacques Le Roux created OFBIZ-11188: --- Summary: Forgot Password feature in ecommerce needs an access to partymngr Key: OFBIZ-11188 URL: https://issues.apache.org/jira/browse/OFBIZ-11188 Project: OFBiz Issue Type: Improvement Components: framework Affects Versions: Release Branch 16.11, Release Branch 15.12, Trunk, Release Branch 14.12, Release Branch 13.07, Release Branch 17.12, Release Branch 18.12 Reporter: Jacques Le Roux As Pierre Smits initially reported in OFBIZ-4361 bq. another issue is that to change their passwords ecommerce clients need to get access to partymngr. I think that's not secure enough and restriction of the possible actions (eg only allowed to reset password) would be a good idea... It should be noted that it was already like that before OFBIZ-4361 -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16925118#comment-16925118 ] Jacques Le Roux commented on OFBIZ-4361: It should be noted that with the current implementation the work done by OFBIZ-4983 has disappeared. As I wrote above {quote}In backend, I tried to use "Get Password Hint" but got nothing (stuck on the screen, nothing in log) Same in ecommerce, you simply get back to the login screen. In webpos it does not work either. {quote} This feature has been removed by the patch though I kept 2 GetSecurityQuestion.ftl files which were removed. I guess we don't want to remove the feature, do we? If not, it should not be too hard to get it back, though I did not try. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Fix For: Upcoming Branch > > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16924551#comment-16924551 ] Jacques Le Roux edited comment on OFBIZ-4361 at 9/8/19 8:21 AM: While working on OFBIZ-10751 I re-read comments I made in OFBIZ-9833 & OFBIZ-10307. I stumbled upon https://github.com/auth0/java-jwt#using-a-keyprovider. though I did not yet clarified all the points, now that we use {{com.auth0:java-jwt:3.8.2}}, I think we should consider to do something like in the example demonstrated in this page but as suggested there: bq. "with a simple key rotation using JWKS, try the jwks-rsa-java library." I created OFBIZ-11187 for that was (Author: jacques.le.roux): While working on OFBIZ-10751 I re-read comments I made in OFBIZ-9833 & OFBIZ-10307. I stumbled upon https://github.com/auth0/java-jwt#using-a-keyprovider. though I did not yet clarified all the points, now that we use {{com.auth0:java-jwt:3.8.2}}, I think we should consider to do something like in the example demonstrated in this page but as suggested there: bq. "with a simple key rotation using JWKS, try the jwks-rsa-java library." > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Fix For: Upcoming Branch > > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Created] (OFBIZ-11187) Use a JWT keyprovider
Jacques Le Roux created OFBIZ-11187: --- Summary: Use a JWT keyprovider Key: OFBIZ-11187 URL: https://issues.apache.org/jira/browse/OFBIZ-11187 Project: OFBiz Issue Type: Improvement Components: framework Affects Versions: Trunk Reporter: Jacques Le Roux There are several more or less ways to keep a JWT secret key safe. They are documented [here|https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc] An even not costly and safer way is [to use a JWT keyprovider |https://github.com/auth0/java-jwt#using-a-keyprovider]. I think we should consider to do something like in the example demonstrated in this page, and as suggested there: bq."with a simple key rotation using JWKS, try the jwks-rsa-java library." -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Closed] (OFBIZ-11038) Unable to view a PartyContent on view profile page of a party
[ https://issues.apache.org/jira/browse/OFBIZ-11038?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-11038. --- Fix Version/s: (was: Upcoming Branch) Release Branch 16.11 18.12.01 17.12.01 Resolution: Fixed Backported R18 r1866593 R17 r1866591 R16 1866592 Pawan if you want to automatically backport you can use the tools\mergefromtrunk scripts ;) Here I use Release Branch 16.11, in the fix version/s field, because I think it will not be included in 16.12.06 HTH > Unable to view a PartyContent on view profile page of a party > - > > Key: OFBIZ-11038 > URL: https://issues.apache.org/jira/browse/OFBIZ-11038 > Project: OFBiz > Issue Type: Bug > Components: party >Affects Versions: Trunk >Reporter: Devanshu Vyas >Assignee: Pawan Verma >Priority: Minor > Fix For: 17.12.01, 18.12.01, Release Branch 16.11 > > Attachments: Error_message.png, OFBIZ-11038.patch, > PartyContent_View.png > > > * Go to [partymgr|https://demo-trunk.ofbiz.apache.org/partymgr/control/main] > * Search any party(e.g. DemoCustomer) > * Go to the [party > profile|https://demo-trunk.ofbiz.apache.org/partymgr/control/viewprofile?partyId=DemoCustomer] > page > * Go to Party Content section on the page and upload a file > * Select a purpose(Logo Image Url) and click on the Upload button > * After uploading success message will be displayed as Party data object > created successfully. > * Then view button will be displayed under the Party Content section, click > on the view button to view the image uploaded. -- This message was sent by Atlassian Jira (v8.3.2#803003)