[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16583998#comment-16583998 ]
Nicolas Malin commented on OFBIZ-4361: -------------------------------------- I reviewed the patch and have some remark before commit it : * when the user come to OFBiz after ask a new password, only the userName and the custRequestId seems few regarding the possibility to reset a password. I'm in favor to use a token build with the UserLogin and CustRequest involved in this process. I already implemented it on submitted patch :) [^OFBIZ-4361_ReworkPasswordLogic.patch] * Also to prevent a possible massive attack, I propose to add a timeout for rest password managed by security.properties. A user that request a new password would be have 2 days (or less) to consume it after the custResquest will be cancelled. * the link on template email isn't good because use a webapp and control hard coded break the dynamic url website system {code:html} form method="post" action="${baseEcommerceSecureUrl}/partymgr/control/forgotPasswordReset?{code} * I propose also, if we change the api screen on common to use only one screen for forgotPassword in Themes.xml and analyse the context to select what to display: {code:xml} <screen name="forgotPassword"/> <screen name="forgotPasswordSetUser"/> <screen name="forgotPasswordChooseValidation"/> <screen name="forgotPasswordReset"/>{code} by {code:xml} <screen name="forgotPassword"/>{code} This offert more possibility for a theme to implement it. On the latest patch I also added the dates to custRequest. If you are agree with my previous proposals, I can implement them quickly > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, Trunk > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Michael Brohl > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_ReworkPasswordLogic.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)