CWE - CWE-13: ASP.NET Misconfiguration: Password in Configuration File (2.2)

Home > CWE List > CWE- Individual Dictionary Definition (2.2)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Contact Us
Search the Site

CWE-13: ASP.NET Misconfiguration: Password in Configuration File

ASP.NET Misconfiguration: Password in Configuration File

Weakness ID: 13 (Weakness Variant)

Status: Draft

Description

Description Summary

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

Time of Introduction

Architecture and Design
Implementation

Common Consequences

Scope	Effect
Access Control	Technical Impact: Gain privileges / assume identity

Demonstrative Examples

Example 1

The following connectionString has clear text credentials.

(Bad Code)

Example Language: XML

<add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;"

providerName="System.Data.Odbc" />

</connectionStrings>

Potential Mitigations

Good password management guidelines require that a password never be stored in plaintext.

Phase: Implementation

credentials stored in configuration files should be encrypted.

Phase: Implementation

Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	2	Environment	Seven Pernicious Kingdoms (primary)700
ChildOf	Category	10	ASP.NET Environment Issues	Development Concepts (primary)699
ChildOf	Weakness Variant	260	Password in Configuration File	Research Concepts (primary)1000
ChildOf	Category	895	SFP Cluster: Information Leak	Software Fault Pattern (SFP) Clusters (primary)888

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
7 Pernicious Kingdoms			ASP.NET Misconfiguration: Password in Configuration File

References

Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI". <http://msdn.microsoft.com/en-us/library/ms998280.aspx>.

Microsoft Corporation. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA". <http://msdn.microsoft.com/en-us/library/ms998283.aspx>.

Microsoft Corporation. ".NET Framework Developer's Guide - Securing Connection Strings". <http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	7 Pernicious Kingdoms		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, References, Taxonomy_Mappings
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Demonstrative_Examples
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Relationships

Page Last Updated: May 14, 2012


	CWE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us