ASP.NET Misconfiguration: Password in Configuration File |
Weakness ID: 13 (Weakness Variant) | Status: Draft |
Description Summary
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
Example 1
The following connectionString has clear text credentials.
(Bad Code)
Example Language: XML
<connectionStrings>
<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;"
providerName="System.Data.Odbc" />
</connectionStrings>
Good password management guidelines require that a password never be stored in plaintext. |
Phase: Implementation credentials stored in configuration files should be encrypted. |
Phase: Implementation Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 2 | Environment | Seven Pernicious Kingdoms (primary)700 |
ChildOf | Category | 10 | ASP.NET Environment Issues | Development Concepts (primary)699 |
ChildOf | Weakness Variant | 260 | Password in Configuration File | Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | ASP.NET Misconfiguration: Password in Configuration File |
Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI". <http://msdn.microsoft.com/en-us/library/ms998280.aspx>. |
Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA". <http://msdn.microsoft.com/en-us/library/ms998283.aspx>. |
Microsoft Corporation. ".NET Framework Developer's Guide - Securing Connection Strings". <http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx>. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated References, Demonstrative Example, Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, References, Taxonomy Mappings | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples |