Any ecommerce user has the ability to reset anothers password (including admin)
via "Forget Your Password"
----------------------------------------------------------------------------------------------------------
Key: OFBIZ-4361
URL: https://issues.apache.org/jira/browse/OFBIZ-4361
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: Release Branch 11.04, SVN trunk
Environment: Ubuntu and others
Reporter: mz4wheeler
Priority: Critical
Currently, any user (via ecommerce "Forget Your Password") has the ability to
reset another users password, including "admin" without permission. By simply
entering "admin" and clicking "Email Password", the following is displayed.
The following occurred:
A new password has been created and sent to you. Please check your Email.
This now forces the user of the ERP to change their password. It is also
possible to generate a dictionary attack against ofbiz because there is no
capta code required. This is serious security risk.
This feature could be reduced to a certain sub-set of users, whose login name
is optionally in the format of an email address, and maybe require a capta code
to prevent dictionary attacks.
For example, limit the feature to role "Customer" of type "Person" which was
generated via an ecommerce transaction.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
