Admin - "Forgot You Password" should not work


#1

In the login UI, it is possible to enter into a “forget your password” for the “admin” user. It seems to work (or do something), but if you don’t have an email address associated with ‘admin’, and if you don’t have email notifications setup, you will never know what the new password is. Essentially, you are locked out. Maybe there is a config (that I don’t know about).

Also, on Firefox, under “Forget your password”, the screen renders improperly.


#2

The “admin” user is somewhat special as it is meant to be reserved for system administrators only. So it is difficult for him to “retrieve” the password. Obviously, you wouldn’t want to send it to him, nor display it inside the browser for all to see. So the only thing one can do is reset the password from command-line. You can either:

  1. create a new user account and use that one to reset the original

    ant create-admin-user-login

  2. Reset the original password

    ant load-admin-user-login -DuserLoginId=admin

Authenticate with username “admin”, password “scipio”. After a restart, you will be prompted with a screen that lets you reset the password directly.

I will take a look at firefox - thanks for bringing this up.


#3

Yes, I performed the create-admin-user-login to get back in. My point is that shouldn’t be allowed at all, or at least make it configurable.


#4

ok, but how would you propose to make it “configurable”. Configurable not to retrieve a password from command-line also seems like a red flag, since there must be a way to retrieve it. Or do you mean to not present the option for those users, who do not have an email address setup in general?


#5

I’m referring to the website (admin) login, not the command line. Anybody in the world can lock you out if you are dumb enough to expose the admin UI.


#6

Hi Mike,

What you mean is for the admin user to disable password recovery feature, is that correct? If that is the case, I don’t think admin users created from seed/demo data include an email so we could restrict the feature to do nothing if an email is not set (probably done already). However, I suppose if it is set then you will get a new password to the email address under your control for that admin user, which could be really annoying if someone finds out and exploits it a lot, I agree.
I think the most smart way to prevent this is to block any access to backend webapps from the outside. These situations rely more on how the overall infrastructure where Scipio is has been designed rather than how Scipio is implemented in that regard, I believe.


#7

I looked a little into this.
I think nobody does “show password hint” anymore… So I think this should be completely disabled, or maybe configurable in security.properties. The related java seems to be applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java and I don’t see anything in the code that references security.properties to control what users are exempt or any controls at all for “forget password”. So I think this is an area that could be improved.

Yes, the default email for admin is ofbiztest@example.com, and by default, email notifications are disabled, so changing the password to admin without any of these being set is trouble, or annoying.

Also: There is a real domain called “example.com

$ host example.com
example.com has address 93.184.216.34
example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

Senderbase:
ip,93.184.216.34,
ip_30_day_volume_percent,0.4,
ip_average_magnitude,4.3,
ip_cidr_range,22,
ip_daily_magnitude,2.4,
ip_in_bonded_sender,N,
ip_monthly_magnitude,3.0,
org_daily_magnitude,3.7,
org_domains_count,1,
org_first_message,0,
org_id,28913,
org_ip_controlled_count,10240,
org_ip_used_count,70,
org_monthly_magnitude,4.4,
org_name,EDGECAST NETWORKS,

Just for the heck of it I checked if it has an MX record…
$ host -t mx example.com
example.com has no MX record

It does not. I also checked if port 25 is open… It is not.

$ telnet 93.184.216.34 25
Trying 93.184.216.34…
^C

However, if port 25 WAS open, and there was a user called “ofbiztest”, the “admin” account password would have been emailed to them.

I think you see where this is going…


#8

I tried to recreate the broken screen you mentioned and retested the screen in firefox. I wasn’t able to reproduce, as seen on the screenshot attached.

My best guess is that your firefox version must differ from mine. Can you specify which one you are using?


#9

Mine NOW looks like yours, since I switched to “master”. Must have been another 1.14 issue, now fixed.