[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16060506#comment-16060506
]
Tobias Laufkötter commented on OFBIZ-4361:
------------------------------------------
Independent from the actual process the technical side of the solution is still
in question.
Although I like the idea of simplicity, I would rather go with a one-to-may
relationship to the password reset information, as this would enable a tracking
of the account reclamation attempts. The chosen entity would need
* the userLoginId
* a fromDate for the starting point of the process
* a thruDate for the time of the token expriation (expires at the preset date
e.g. 24h after creation or with the activation of the link)
* an indicator (Y/N) to show whether the password was changed by the time of
the thruDate (set to N on creation, set to Y at successful password reset)
* a hash of the token that is used in the URL (hash algorithm? SHA521?
I'm not familiar enough with the WorkEffort entities and their originial
intention to be able to judge whether they are the right tools to use.
[~deepak.dixit], would you care to elaborate on your suggestion? If a password
reset token should prove to be too far from the WorkEffort's (or other
entities') concerns, maybe a new entity (e.g. TOKEN, SECURITY_TOKEN,
PASSWORD_RESET_TOKEN) would be preferable.
We should provide a default email that can be overriden by the
ProductStoreEmailSetting.
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Trunk
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Michael Brohl
> Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
