[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

[mz4wheeler (JIRA)]

    [ 
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16061087#comment-16061087
 ] 

mz4wheeler commented on OFBIZ-4361:
-----------------------------------

Hey guys:  My main point when I wrote this jira was the objection of allowing 
the "admin" users password to be reset (under YOUR feet), by anyone VIA the 
ecommerce module.  

I don't necessarily object to resetting the password via a back end module, 
like accounting, because presumably the back end modules "should be" protected 
from the internet.  Still, any back end (system) user should be protected from 
inadvertent password resets, unless enabled, where any NEW customers should be 
allowed to reset their password, as long as there is an email assigned, and 
email is enabled.

For back end system user logins, including "admin", "accounting", etc., email 
resets should be disabled (by default), unless enabled (somehow), maybe by 
adding a new role, like "allow_password_resets", for instance.

> Any ecommerce user has the ability to reset anothers password (including 
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4361
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4361
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: Release Branch 11.04, Trunk
>         Environment: Ubuntu and others
>            Reporter: mz4wheeler
>            Assignee: Michael Brohl
>              Labels: security
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to 
> reset another users password, including "admin" without permission.  By 
> simply entering "admin" and clicking "Email Password", the following is 
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password.  It is also 
> possible to generate a dictionary attack against ofbiz because there is no 
> capta code required.  This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name 
> is optionally in the format of an email address, and maybe require a capta 
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was 
> generated via an ecommerce transaction.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)