[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16430349#comment-16430349 ]
Benjamin Jugl commented on OFBIZ-4361: -------------------------------------- I just reviewed the patch and did some changes myself. I like the approach, but I think that we might consider creating tokens in place of the customerRequests, because the plain text URL might really be a security issue. (If you knew a username, you could generate a custRequest by sending the email and than have a script run through all custRequestIds...) I renamed the requests as I found it really hard to read all the different "steps" of the process. And I changed the Error Messages. The programm will no longer give hints about valid or invalid usernames, as it was discussed in this issue. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, Trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Michael Brohl > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)