Password in Configuration File |
Weakness ID: 260 (Weakness Variant) | Status: Incomplete |
Description Summary
The software stores a password in a configuration file that might be accessible to actors who do not know the password.
Extended Description
This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
Example 1
Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.
(Bad Code)
Example Language: Java
webapp.ldap.username=secretUsername
webapp.ldap.password=secretPassword
Avoid storing passwords in easily accessible locations. |
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 254 | Security Features | Development Concepts699 Seven Pernicious Kingdoms (primary)700 |
ChildOf | Weakness Base | 522 | Insufficiently Protected Credentials | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 632 | Weaknesses that Affect Files or Directories | Resource-specific Weaknesses (primary)631 |
ParentOf | Weakness Variant | 13 | ASP.NET Misconfiguration: Password in Configuration File | Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 258 | Empty Password in Configuration File | Development Concepts (primary)699 Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Password Management: Password in Configuration File |
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
7 Pernicious Kingdoms | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Description |