Please sign in to comment.
Fixed: Any ecommerce user has the ability to reset anothers password
(including admin) via "Forget Your Password" (OFBIZ-4361) Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed: The following occurred: A new password has been created and sent to you. Please check your Email. This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. I have modified the patch following comments I made in the Jira, notably Removed unused Java variables Removed a check in LoginEvents::forgotPassword which prevented to show error messages Changed fr and en SecurityExtPasswordSentToYou + SecurityExtThisEmailIsInResponseToYourRequestToHave labels + template PasswordEmail.ftl + loginservices.token_incorrect labels Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels Removed changes in general.properties I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in) There is still room for improvement. I'll discuss them on the Jira and dev ML. But this version is already strong enough to not wait that the patch is inapplicable! Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess with some Gil's help, and all others for comments and ideas git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1866478 13f79535-47bb-0310-9956-ffa450edef68
- Loading branch information
Showing with 535 additions and 443 deletions.
- +7 −25 applications/securityext/config/EmailPasswordUiLabels.xml
- +137 −199 applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
- +5 −2 applications/securityext/template/email/PasswordEmail.ftl
- +1 −1 build.gradle
- +21 −0 framework/common/config/SecurityextUiLabels.xml
- +31 −14 framework/common/src/main/java/org/apache/ofbiz/common/login/LoginServices.java
- +9 −16 framework/common/webcommon/WEB-INF/common-controller.xml
- +0 −28 framework/common/widget/CommonScreens.xml
- +4 −4 framework/security/config/security.properties
- +32 −0 framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
- +2 −1 framework/service/servicedef/services.xml
- +4 −4 framework/service/src/main/java/org/apache/ofbiz/service/ServiceDispatcher.java
- +80 −28 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
- +27 −8 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
- +1 −0 themes/common-theme/template/ChangePassword.ftl
- +73 −26 themes/common-theme/template/ForgotPassword.ftl
- +1 −1 themes/common-theme/template/Login.ftl
- +23 −55 themes/common-theme/widget/CommonScreens.xml
- +0 −2 themes/common-theme/widget/Theme.xml
- +1 −0 themes/rainbowstone/template/ChangePassword.ftl
- +75 −27 themes/rainbowstone/template/ForgotPassword.ftl
- +1 −1 themes/rainbowstone/template/Login.ftl
- +0 −1 themes/rainbowstone/widget/Theme.xml
Oops, something went wrong.
Oops, something went wrong.