J2EE Misconfiguration: Plaintext Password in Configuration File |
Weakness ID: 555 (Weakness Variant) | Status: Draft |
Description Summary
The J2EE application stores a plaintext password in a configuration file.
Extended Description
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers
Example 1
Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.
(Bad Code)
Example Language: Java
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
Do not hardwire passwords into your software. |
Good password management guidelines require that a password never be stored in plaintext. |
Use industry standard libraries to encrypt passwords before storage in configuration files. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 4 | J2EE Environment Issues | Development Concepts (primary)699 |
ChildOf | Weakness Base | 522 | Insufficiently Protected Credentials | Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Relationships, Taxonomy Mappings | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | J2EE Misconfiguration: Password in Configuration File | |||