[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: [reflective] hmm, I restarted from scratch and all work for me[reflective] ) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Mmm last thought: the last one is certainly due to a String in a job referring to sendEmailDated simple method in CommunicationEventServices.xml which no longer exists ;) So it's something else...) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Unsure, after Nicolas fixing OFBIZ-11175, I simply dit a svn up in a 3rd console and the error did not display in the console where OFBiz run {noformat} Waiting for changes to input files of tasks... (ctrl-d then enter to exit) modified: C:\projectsASF\ofbiz\applications\product\src\main\java\org\apache\ofbiz\product\category\CategoryServices.java Change detected, executing build... {noformat} But then got another error due to r1865920 in OFBIZ-11164 {noformat} 2019-08-26 12:07:16,523 |OFBiz-JobQueue-1 |GenericServiceJob |E| Async-Service failed. org.apache.ofbiz.service.GenericServiceException: Error running simple method [sendEmailDated] in XML file [component://party/minilang/communication/CommunicationEventServices.xml]: (Could not find SimpleMethod sendEmailDated in XML doc ument in resource: component://party/minilang/communication/CommunicationEventServices.xml) at org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:81) ~[main/:?] at org.apache.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:48) ~[main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:415) ~[main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:240) ~[main/:?] at org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) ~[main/:?] at org.apache.ofbiz.service.job.GenericServiceJob.exec(GenericServiceJob.java:70) [main/:?] at org.apache.ofbiz.service.job.AbstractJob.run(AbstractJob.java:87) [main/:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_202] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_202] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202] Caused by: org.apache.ofbiz.minilang.MiniLangException: Could not find SimpleMethod sendEmailDated in XML document in resource: component://party/minilang/communication/CommunicationEventServices.xml at org.apache.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:272) ~[main/:?] at org.apache.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:293) ~[main/:?] at org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:79) ~[main/:?] {noformat} So yes there are still discrepancies between dynamic and not resources and it's hard to know when. This said it's quite a convenient stuff and I'll stop there :D) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Gradle continous build is really useful: {noformat} Waiting for changes to input files of tasks... (ctrl-d then enter to exit) modified: C:\projectsASF\ofbiz\applications\securityext\src\main\java\org\apache\ofbiz\securityext\login\LoginEvents.java modified: C:\projectsASF\ofbiz\applications\securityext\template\email\PasswordEmail.ftl modified: C:\projectsASF\ofbiz\framework\common\config\SecurityextUiLabels.xml and some more changes Change detected, executing build... > Task :compileJava C:\projectsASF\ofbiz\applications\securityext\src\main\java\org\apache\ofbiz\securityext\login\LoginEvents.java:255: warning: [unchecked] unchecked conversion List contactMechs = (List) ContactHelper.getContactMechByPurpose(userParty, "PRIMARY_EMAIL", false); {noformat} ;)) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: For those interested, of course using Gradle continous build can lead to certain discrepancies if you don't run OFBiz again when needed (eg Java classes to be reloaded). Only dynamic ressources are updated (ie not Java classes for instance). Here is what happen when I apply the patch and try to get an password by email: {noformat} 2019-08-26 11:21:23,429 |jsse-nio-8443-exec-5 |JavaEventHandler |E| Problems Processing Event java.lang.NoSuchMethodError: org.apache.ofbiz.webapp.control.JWTManager.createJwt(Lorg/apache/ofbiz/entity/Delegator;Ljava/util/Map;Ljava/lang/String;I)Ljava/lang/String; at org.apache.ofbiz.security.SecurityUtil.generateJwtToAuthenticateUserLogin(SecurityUtil.java:133) ~[main/:?] at org.apache.ofbiz.securityext.login.LoginEvents.emailPasswordRequest(LoginEvents.java:269) ~[main/:?] at org.apache.ofbiz.securityext.login.LoginEvents.forgotPassword(LoginEvents.java:123) ~[main/:?] {noformat} Or do I miss something? ) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)