[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16923581#comment-16923581
]
Jacques Le Roux commented on OFBIZ-4361:
----------------------------------------
Hi Nicolas,
I have committed your modified patch at revision: 1866478 in trunk. I tried to
backport to R18, fixed some conflicts, but it got too much complicated. So
despite this being a low security bug it's not backported at all. I have
commented my changes in the commit, here they are for the sake of simplicity:
{quote}
I have modified the patch following comments I made in the Jira, notably
Removed unused Java variables
Removed a check in LoginEvents::forgotPassword which prevented to show error
messages
Changed fr and en SecurityExtPasswordSentToYou
+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels
+ template PasswordEmail.ftl
+ loginservices.token_incorrect labels
Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels
Removed changes in general.properties
I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)
There is still room for improvement. I'll discuss them on the Jira and dev
ML. But this version is already strong enough to not wait that the patch is
inapplicable!
{quote}
I'll not close the issue yet because I want to discuss some points before.
All reviews will be appreciated
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Release Branch 11.04, Release Branch 13.07, Release
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release
> Branch 17.12
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch,
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
