[
https://issues.apache.org/jira/browse/OFBIZ-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12733292#action_12733292
]
Si Chen commented on OFBIZ-2729:
--------------------------------
A couple of other security enhancements which I think should be made:
1. the user's password should be checked, even if he is changing his own
password
2. the admin user's password should be checked as well before he is allowed
to change any passwords
Otherwise, there is the risk of a low-tech "coffee break attack": the user or
the admin user steps out for a five-minute coffee break, and somebody comes in,
sits down at his terminal, and starts changing passwords
> special security should be required for setting passwords
> ----------------------------------------------------------
>
> Key: OFBIZ-2729
> URL: https://issues.apache.org/jira/browse/OFBIZ-2729
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 4.0, Release Branch 9.04, SVN trunk
> Reporter: Si Chen
>
> This issue was first brought up here:
> https://sourceforge.net/forum/message.php?msg_id=7496877
> Basically, any user with PARTYMGR_CREATE/UPDATE permissions can set the
> password of another user. This creates opportunity for Malfeasance. For
> example, a customer service rep could set the password of the admin user.
> A simple solution would be to create a new security permission
> PARTYMGR_PASSWD and require that permission for setting or changing
> password of a different user, instead of using PARTYMGR_UPDATE.
> PARTYMGR_PASSWD could then be associated with the administrative user.
> An alternative is to use the SECURITY_UPDATE permission instead of
> PARTYMGR_UPDATE or a new PARTYMGR_PASSWD permission.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
