Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-4361

Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Release Branch 11.04, Release Branch 13.07, Release Branch 14.12, Release Branch 15.12, Release Branch 16.11, Release Branch 17.12, Trunk
    • 18.12.01
    • framework

    • Ubuntu and others

    • Bug Crush Event - 21/2/2015

    Description

      Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed.

      The following occurred:
      A new password has been created and sent to you. Please check your Email.

      This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk.

      This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.

      For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.

      Attachments

        1. OFBIZ-4361.patch
          38 kB
          Gaudin Pierre
        2. OFBIZ-4361_ReworkPasswordLogic.patch
          50 kB
          Benjamin Jugl
        3. OFBIZ-4361_ReworkPasswordLogic.patch
          51 kB
          Nicolas Malin
        4. OFBIZ-4361_OneScreen.patch
          75 kB
          Nicolas Malin
        5. OFBIZ-4361_Token-Password-Registration.patch
          90 kB
          Nicolas Malin

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. OFBIZ-4983 New feature to reclaim a user account - Using Security Questions

          • Major - Major loss of function.
          • Closed
          requires

          Improvement - An improvement or enhancement to an existing feature or task. OFBIZ-11229 Merge UrlRegexpTransform and OfbizUrlTransform classes

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              jleroux Jacques Le Roux
              mz4wheeler mz4wheeler
              Votes:
              2 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: